FINN LANDEGREN Technical infrastructure networks as socio … · 2017-12-01 · Annalee Newitz from...

FINN

LAN

DEG

REN

Technical infrastructure netw

orks as socio-technical systems 2017

978

9188

9348

40Faculty of Engineering

Division of Industrial Electrical Engineering and AutomationISBN 978-91-88934-84-0

CODEN LUTEDX/(TEIE-1082/1-154/(2017)

Technical infrastructure networks as socio-technical systemsAddressing infrastructure resilience and societal outage consequencesFINN LANDEGREN

FACULTY OF ENGINEERING | LUND UNIVERSITY

Finn Landegren has been a Ph.D. student at the Division of Industrial Electrical Engineering and Automation, Lund University, Sweden. He has a Master’s degree in Socio-technical systems engineering from Uppsala University. His research is funded by the Swedish civil contingencies agency and concerns development of methods for analysis of large disturbance events in technical infrastructure networks. Two main aspects have been in focus in the research work: the process of restoring infrastructure services after large disturbance events and the societal consequences of infrastructure outage.

1

Technical infrastructure networks as socio-technical systems

2

3


Addressing infrastructure resilience and societal outage consequences

Finn Landegren

Thesis for the degree of Doctor of Philosophy in Engineering Thesis supervisors: Professor Olof Samuelsson

Associate Professor Jonas Johansson

To be presented, with the permission of the Faculty of Engineering of Lund University, for public criticism in the M:B lecture hall, Mechanical Engineering

building, Ole Römers väg 1, Lund on the 23rd of January 2018 at 10:15.

Faculty opponent: Professor Gerd Kjølle Norwegian University of Science and Technology and SINTEF

Trondheim, Norway

4

Organization LUND UNIVERSITY Faculty of Engineering Division of Industrial Electrical Engineering and Automation

Document name DOCTORAL DISSERTATION

Date of issue 2018 January 23

Author Finn Landegren

Sponsoring organization Swedish civil contingencies agency (MSB)

Title and subtitle Technical infrastructure networks as socio-technical systems - Addressing infrastructure resilience and societal outage consequences

Abstract Research area: Modern society is increasingly dependent on a range of technical infrastructure networks including e.g. power, transport and IT networks. This dependence is illustrated by large disturbances which from time to time affect these systems, often to an extent which few did consider possible.The overarching aim of this thesis is to advance analysis methods concerning large disturbance events in technical infrastructure networks. Work is performed in three areas: 1) modelling of technical infrastructure networks to enable exploration of resilience with respect to large disturbance events, 2) development of resilience metrics for assessment of impact on performance of technical infrastructure networks from system parameter changes given large disturbance events and 3) quantification of societal consequences of electricity outages. Methods: The model for simulation of restoration processes of networks consists of two sub-models, one representing the infrastructure network and one representing the repair system. This enables explicit assessment of impact on system performance from technical as well as non-technical decision variables. The model is used for three case study systems and six quantitative resilience metrics are evaluated, three of them being developed and presented for the first time in the thesis. Quality of supply regulations as well as the Swedish Styrel system are used for contrasting societal consequences of electricity outages. A study is performed in which the regulations are used to determine and contrast the weights of electricity customers. Conclusions: The work presented in the thesis enables modelling of restoration processes of electricity and IT networks. In contrast to previous models used for this purpose, the developed model can simultaneously consider many simultaneous failures, prioritization of repairs and levels of repair system resource and their variation over time, enabling exploration of system performance with respect to several crucial resilience metrics. Three metrics: margin and sensitivity1 and 2 are found to be useful for quantitative assessment of impact on system performance from parameter changes. The case studies on societal consequences of electricity outages show that the contrasted consequence metrics are often not in agreement, posing the question if Swedish quality of supply regulations need to be adjusted to better consider some aspects of societal electricity outage consequences.

Key words Critical infrastructure, Socio-technical system, Resilience, Restoration, Simulation, Quality of supply regulation, Societal consequence

Classification system and/or index terms (if any)

Supplementary bibliographical information Language English

ISSN and key title ISBN 978-91-88934-84-0 (print) 978-91-88934-85-7 (pdf)

Recipient’s notes Number of pages 154

Price

Security classification

I, the undersigned, being the copyright owner of the abstract of the above-mentioned dissertation, hereby grant to all reference sources permission to publish and disseminate the abstract of the above-mentioned dissertation.

Signature Date 2017-11-27

5


Addressing infrastructure resilience and societal outage consequences

Finn Landegren

6

Cover illustration by author: power supplied by electricity distribution network as a function of time in simulated disturbance scenarios, assuming six different levels of strain, from top to bottom: N-1, N-2, N-3, N-6, N-9 and N-12.

Cover illustration back: Author’s portrait

© 2017 Finn Landegren

Division of Industrial Electrical Engineering and Automation

Department of Biomedical Engineering

Faculty of Engineering

Lund University

Box 118

SE-22100 Lund

Sweden

ISBN 978-91-88934-84-0 (print)

ISBN 978-91-88934-85-7 (pdf)

CODEN: LUTEDX/(TEIE-1085)/1-154/(2017)

Printed in Sweden by Media-Tryck, Lund University, Lund 2017

7

“Scientists, philosophers, writers, engineers, doctors, astronauts, and ordinary people are working tirelessly on world-changing projects, assuming that one day our lives can be saved on a massive scale. As their work comes to fruition, our world becomes a very different, more liveable place.”

Annalee Newitz from Scatter, Adapt, and Remember –

How Humans will Survive a Mass Extinction (p. 11)

8

Table of Contents

Acknowledgement ......................................................................................... 10

Popular summary .......................................................................................... 11

Terminology.................................................................................................. 13

Chapter 1 Introduction ............................................................................................ 15

1.1 Motivation ........................................................................................... 15

1.2 Research questions ............................................................................... 18

1.3 Delimitations ....................................................................................... 21

1.4 Users of research results ....................................................................... 22

1.5 Research contributions ......................................................................... 23

1.6 Publications ......................................................................................... 23

1.7 Outline of the thesis ............................................................................. 24

Chapter 2 . Background .......................................................................................... 27

2.1 Concepts and definitions ..................................................................... 27 Critical infrastructures ......................................................................... 27 Socio-technical systems ........................................................................ 29 Risk, vulnerability & resilience............................................................. 30

2.2 Electricity and IT networks .................................................................. 33 Overview of the Swedish power system ................................................ 33 Power system regulations in Sweden .................................................... 34 IT networks ......................................................................................... 37 Assessment of restoration time of infrastructure systems ....................... 38

Chapter 3 Modelling technical infrastructure networks to enable assessment of socio- technical system resilience .......................................................... 41

3.1 Network modelling .............................................................................. 42

3.2 Agent based modelling ......................................................................... 43

3.3 Assessing socio-technical system resilience ............................................ 43

9

Chapter 4 Resilience metrics for quantitative assessment of impact on system performance from parameter variation ..................................................... 49

Chapter 5 Comparison of quality of supply regulations and societal outage consequences ........................................................................................... 57

Chapter 6 Discussion ............................................................................................... 61

6.1 Modelling technical infrastructure networks to enable assessment of socio-technical system resilience ........................................................... 61

6.2 Resilience metrics for quantitative assessment of impact on system performance from parameter variation ................................................. 62

6.3 Comparison of quality of supply regulations and the societal outage consequences ........................................................................................ 63

Chapter 7 Conclusions and future research ............................................................... 65

References ................................................................................................................ 69

Summary of appended papers .................................................................................. 75 Author contributions ............................................................................ 77

Scientific publications .............................................................................................. 79

10

Acknowledgement

Having studied the critical infrastructures of our society I’ve also come to learn quite a bit about the critical role of friends and colleagues. Therefore, thanks are in order. First and foremost, Jonas Johansson and Olof Samuelsson, thanks for coming up with a thrilling research topic. Thanks also for acting as the supervisors you are by not letting me go astray but instead consistently pointing to the goal I should aim for. Thanks also goes to the employees at the electricity distribution company and to the IT experts for offering me the material without which the research presented here could never have been done. It has been an exciting challenge to bridge the complexity of your reality and the simplicity of my models.

Thanks IEA colleagues for an enjoyable work environment and for much warmth. Special thanks to Lars Lindgren for his never seizing enthusiasm for grappling with all sorts of technical questions, to Ulrika Westerdahl and Carina Lindström for always helping out in matters of administration and to Ulf Jeppsson for his commitment in leading the division. Thanks Ramesh Saagi for lots of valuable suggestions concerning the editing of the thesis. Thanks Reza Safari Tirtashi for all the discussions that we have had concerning work and life in general.

Thanks also to the project partners in PRIVAD, fellow PhD-students as well as more senior researchers. I really appreciate the great breadth of competencies that we have within this project and the fact that we have intermingled these competencies in our research work. Thanks goes in particular to Sardar Muhammad Sulaman, Martin Höst and Peter Möller for guiding me in the world of IT networks. Thanks MSB for funding my research. I’m inspired by the thought of being able to contribute to your vision of a functioning society in a changing world.

Thanks friends in Uppsala and elsewhere for enriching my life. Thanks mum, dad, Nils, Kalle, grandma Ingrid, Houchang and Zeinab for all your support and care. Last but definitely not least: thanks Taravat, azizam, for being my life partner, thanks Estrid and Erik for being endless sources of joy.

Thanks!!

11

Popular summary

Modern society is increasingly dependent on a range of infrastructure systems. The work presented in this thesis is believed to be relevant for a sub-group of these infrastructures, here referred to as technical infrastructure networks. Examples of such infrastructures are power, transport and IT networks while other, possibly equally critical infrastructure systems such as the banking and health care systems, are not included.

Our great dependence on technical infrastructure networks is illustrated by large disturbances which from time to time affect these systems, often to an extent which few did consider possible. The overarching aim of this thesis is to advance analysis methods concerning large disturbance events in technical infrastructure networks. However, the disturbances that are in focus here are primarily those that are due to component damages of some kind, and for which repair work is needed to achieve recovery. In this analysis the concept resilience is of particular importance. Resilience here refers to the ability of the infrastructure to withstand sudden shocks with little loss of system functionality and/or a quick recovery.

Work is performed in three areas: 1) modelling and simulation of technical infrastructure networks to enable exploration of system resilience with respect to large disturbance events, 2) development of resilience metrics for assessment of impact on performance of technical infrastructures from system parameter changes given large disturbance events and 3) evaluation of to what extent existing quality of supply regulations reflect the societal consequences of electricity outages.

A model is developed for simulation of restoration processes of infrastructure networks. The model consists of two sub-models, one representing the infrastructure network and one representing the repair system. This enables assessment of system resilience and assessment of impact on system performance from technical as well as organizational decision variables. The model is applied for real life electricity and IT networks. This analysis involves well researched resilience metrics as well as three quantitative resilience metrics which are proposed in this thesis. Two Swedish quality of supply regulations as well as the Swedish Styrel system are used for contrasting societal consequences of electricity outages. A study is performed in which the regulations are used to determine and contrast the weights of electricity customers in a Swedish municipality.

The main conclusions from the thesis are the following: Regarding research area 1: the developed simulation model enables exploration of the resilience of technical infrastructure networks. Since the technical network is explicitly represented it is possible to simulate large numbers of simultaneous component failures which is relevant in the context of large disturbance events. Since technical as well as non-technical system parameters are explicitly represented it is also possible to investigate

12

the impact of modification of technical and non-technical system parameters on resilience which enables evaluation of system improvement options.

Regarding research area 2: the proposed quantitative resilience metrics can give an overview to how closely the system is positioned to a safety boundary with respect to different system resources and an understanding of how the systems performance will degrade as the system moves to, and across the safety boundary with respect to these different resources. It is concluded that the proposed metrics can complement existing quantitative resilience metrics by showing how the studied system reacts to changes in system parameters. It is further concluded that the metrics are likely to be of particular relevance in the analysis of large disturbance events.

Regarding research area 3: It is concluded that customers that are critical for society may need to be considered separately in future quality of supply regulations, to make penalties relating to outage of these customers be more in proportion to their importance for society. It is also concluded that the minor expert elicitation survey carried out for obtaining weights of Styrel priority classes suggests one way in which weights of high priority customers can be obtained for incorporation in quality of supply regulations.

13

Terminology

Term Definition Acronym

Agent based modelling

A bottom-up simulation approach which enables system level simulation based on agent level models. Described further in section 3.2.

ABM

Critical infra-structure

A critical infrastructure enables societal functions that are fundamental for national security, national economic security and/or national public health and safety. Described further in section 2.1.

CI

Distribution system operator

An actor responsible for supplying one or more infrastructure services in a given area.

DSO

N-k Denotes the failure of k components in a technical infrastructure network with N components.

-

Outage compensation regulation

A Swedish regulation specifying the compensation that customers will get from their DSO in the event of long electricity outages. Described further in section 2.2.

OCR

Revenue frame regulation

A Swedish regulation specifying the allowed revenue of DSOs based on their level of performance. Described further in section 2.2.

RFR

Socio-technical system

A system that encompasses technical, organizational as well as individual human sub-components. Described further in section 2.1.

STS

Technical infrastructure network

An infrastructure system that is predominantly of a technical nature. Described further in section 2.1.

-

14

15

Chapter 1 Introduction

In this chapter, the research work is motivated and the research questions of the thesis are described. This is followed by a description of the delimitations of the research work and a presentation of actors that are believed to benefit from the developed methods and results. Then, overall research contributions of the work are described and the publications related to the thesis are listed. Finally, an outline is given of the remaining parts of the thesis summary. The reader is referred to the appended papers for details about studied systems, modelling approaches, results and conclusions of the research work.

1.1 Motivation

Our society today depends on technological systems of a complexity vastly surpassing what could be conceived of only a hundred years ago. Among these systems so called technical infrastructure networks, e.g. electricity, transport and IT networks, have a primary importance. While these systems have undeniably provided us with great benefits they have also become unprecedented sources of vulnerability (Winner, 2004). This vulnerability is illustrated with special clarity by recurring large disturbance events, e.g. the 1998 North American ice storm (RMS, 2008), the 2003 blackout in the Northeastern U.S. (Minkel, 2008), the Hurricane Gudrun in 2005 (Toll, 2007) and the Eyjafjallajökull volcano eruption in 2010 (Lee et al., 2012).

When attempting to analyse large disturbance events regarding individual technical infrastructure networks, we are faced by several challenges which make approaches used for more small disturbance events ill suited. These challenges can be tentatively categorized under the following main headings (all except point 4. are addressed in the research work):

1. Many simultaneous failures

2. Restoration prioritizations

3. Restoration resource limitations

4. Infrastructure dependencies

5. Societal consequences

16

Here the five items are discussed with examples taken from the four above mentioned large disturbance events. Often, large disturbances involve many simultaneous failures. In the case of Hurricane Gudrun the two largest network operators in the affected region “E.on and Vattenfall, lost a total of almost 30 000 km of lines during the storm. Of E.on’s 21 500 km of damaged lines, over 2 000 km had to be completely rebuilt. This can be compared with E.on’s activities during the whole of 2004, during which it modernised 1 200 km of lines” (Toll, 2007, p. 23). The volcanic ash from Eyjafjallajökull made flight routes across Europe impassable (Lee et al., 2012), in the 2003 blackout of Northeastern US a cascading failure brought down power lines across eight Northeastern states as well as in Southeastern Canada (Minkel, 2008), and in the 1998 Ice storm in Canada a build-up of ice on power lines and poles and on trees brought down large parts of the electricity and road network of the Canadian provinces Ontario and Québec as well as Northeaster U.S (RMS, 2008).

In the event of many simultaneous failures it will be important to decide in what order restoration should be achieved. Two factors that are likely to be important when making such decisions is the time required for restoring components as well as the number of customers that are supplied through the components. For instance, some components can be restored without repair work of any kind (e.g. a power line that has tripped due to overloading) while other components require repair work. The latter type of restoration is more time demanding and therefore is likely to be a less time efficient way of restoring customers. Following the hurricane Gudrun repairs in the sub-transmission network were prioritized before repairs in local distribution networks. This meant that the sub-transmission networks were restored relatively quickly, usually within 24 hours (Toll, 2007, p. 23). The likely reason for this prioritization is that components in the sub-transmission network supply more customers than do components in the distribution network. While prioritization between networks at different voltage levels is more straightforward, it can be less clear how component failures at the same voltage level should be prioritized.

Consideration of restoration resources, e.g. backup power units and repair personnel, becomes crucial in the context of large disturbance events. These resources are likely to be dimensioned for frequently recurring but rather small-scale events and conversely, are likely to prove insufficient in the event of large disturbances, which may then delay recovery. Concerning Hurricane Gudrun it is remarked that “A serious problem in any major crisis is the shortage of trained personnel that quickly arises when a considerable amount of work of the same type has to be performed in many places simultaneously. In the case of the network operators, problems arose due to the shortage of forestry workers and linesmen” (Toll, 2007, p. 33). To cope with resource limitations, resources may be brought in from other areas. This happened during the recovery after hurricane Gudrun, in fact personnel were brought in from Southern Sweden, from other parts of Sweden as well as from abroad. For some types of large disturbance events there are little or no applicable resources for restoring the infrastructure service. This is

17

demonstrated by the Eyjafjallajökull volcano eruption and its effect on the airline transport network. In this case there were no infrastructure restoration activities, recovery instead occurred due to a natural lowering of the level of ash particles in the air1.

Infrastructure dependencies are, in contrast to the other four challenges, not considered in the research work. This challenge is illustrated by the Hurricane Gudrun: “In addition to the physical damage to the telecommunications infrastructure, the power failures caused by the storm resulted in major interruptions to electronic communications.” (Toll, 2007, p. 17) Furthermore, the infrastructure dependencies may affect the recovery of each individual infrastructure system. “The loss of telephone communication systems made the work of restoring power supplies more difficult. Linesmen had to travel miles to be able to order what they needed. Couriers were sent out with work orders, and meetings had to be arranged in advance.” (Toll, 2007, p. 30) Infrastructure dependencies are also illustrated by the 1998 ice storm since telecommunication infrastructures were damaged both directly, due to ice loading, as well as indirectly, due to loss of electricity supply.

Societal consequences of large disturbances are often extensive. A subsequent survey of 663 000 customers who suffered from the Hurricane Gudrun showed that “about 354 000 of them had supplies restored within 24 hours. 159 000 customers were without power for between one and three days, 82 000 without power for between four and seven days, 56 000 without power for between eight and twenty days, and 12 000 without power for more than 20 days” (Toll, 2007, p. 25). Naturally this gives rise to great costs for society: “The total cost to society for the electricity failure has been estimated as about SEK 1 600–2 100 million. To arrive at an overall total cost, we need to add the network operators’ costs to this figure, estimated as amounting to about SEK 2 600 million for all the network operators in the area hit by the storm. The conclusion is that the loss of power supply after storm Gudrun resulted in an additional cost to society of about SEK 4 000–5 000 million.” (Toll, 2007, p. 49) No deaths resulted from the infrastructure disturbances of the storm, this however may have been due to favourable circumstances: “Despite occurring at the beginning of January, the weather was unusually mild, with less need of heating than would normally be expected at this time of year.” (Toll, 2007, p. 16) Another type of consequences which cannot easily be translated into monetary terms are those relating to environmental damage. The electricity outages had severe effects on the wastewater treatment of Ljungby municipality. “30 000 m³ of untreated sewage effluent ran out into rivers and lakes during January and February as a result of the power failures” (Toll, 2007, p. 42). In the 2003 blackout of Northeastern US 50 million people lost power for up to two days. The overall costs from the outage are estimated to be 6 billion USD and the outage contributed to at least 11 deaths (Minkel, 2008). In the 1998 ice storm 4.7 million 1 http://news.bbc.co.uk/2/hi/science/nature/8621992.stm, (2017-10-20)

18

people in Canada and another 500 000 in the U.S. lost power. 600 000 people moved out of their homes, with 100 000 taking residence in temporary shelters to escape the cold. The event also led to 28 deaths (RMS, 2008).

1.2 Research questions

The overarching aim in this thesis is to advance analysis methods concerning large disturbance events in technical infrastructure networks. However, the disturbances that are in focus here are primarily those that are due to component damages of some kind, and for which repair work is needed to achieve recovery. Also, the technical infrastructure network research field is broad and the focus is therefore narrowed down primarily to electricity and IT networks. The main reason for choosing to focus the research work on electricity and IT networks is that these technical infrastructure networks are arguably two of the infrastructures which our society is most dependent upon, at least when considering shorter outage durations. The exceptional importance of the electricity network is illustrated in Petermann et al. (2014) and the major importance of IT networks is demonstrated in Bisogni & Cavallini (2010). Also work considering cascading effects of infrastructure outages show that outages in these systems affect other infrastructure systems to a relatively large degree (Johansson et al., 2015). A further contributing reason for choosing to focus on these two infrastructures is that, within the departments at which the research work was carried out, contacts were already established with an electricity distribution system operator (DSO) as well as with operators of IT networks thereby making these systems suitable topics of study.

The research presented in this thesis aims at answering three research questions (A-C):

A. How can technical infrastructure networks be individually modelled to enable exploration of the resilience of the overall socio-technical system with respect to large disturbance events?

B. What resilience metrics are suitable for quantitative assessment of impact on performance of technical infrastructure network from system parameter changes given large disturbance events?

C. To what extent do present quality of supply regulations reflect the importance of different electricity customer categories from a societal perspective?

Work concerning research question A is described in Chapter 3, work concerning question B is described in Chapter 4 and work concerning question C is described in Chapter 5. Below the research questions are each described under separate headings. It is clarified in what way they concern the challenges regarding analysis of large disturbance events in technical infrastructure networks described previously.

19

A. How can technical infrastructure networks be individually modelled to enable exploration of the resilience of the overall socio-technical system with respect to large disturbance events?

As is illustrated by the abovementioned examples of large disturbance events, the societal costs of these events are great. The question is therefore posed how these systems can be designed so that system resilience is increased. When answering this question, the challenges 1-3 enumerated above should be borne in mind, i.e. we should consider: 1) many simultaneous component failures, 2) prioritization rules used by the network operator to decide order of repair and 3) available restoration resources over time including the possibility to receive resources for instance from network operator cooperation groups. To accomplish this a model is needed that considers the infrastructure system as a socio-technical system consisting on the one hand of a technical sub-system which may be exposed to strains of various levels and, on the other hand, a repair system which performs repairs according to certain prioritization rules and makes use of restoration resources of various types. The necessity of considering critical infrastructures as socio-technical systems has previously been pointed out by several researches (e.g. Little 2004, Ottens et al. 2006, Kroes et al. 2006, Hansman et al. 2006). Little suggests that a socio-technical system can be thought of as encompassing technical, organizational and individual human sub-components and argues that it will be necessary to understand the interactions between these different entities to achieve a successful strategy for urban security. Kroes et al. and Ottens et al. both argue that socio-technical systems, such as critical infrastructures, require other methods for their analysis than purely technical systems. These methods must recognize the technical as well as non-technical sub-components of the systems. Hansman et al. propose an infrastructure research agenda. One of the four points on this agenda is the creation of integrated socio-technical infrastructure models. They argue that understanding infrastructures as socio-technical systems will be “fundamental for enabling society to promote most effectively the development and evolution of our infrastructures” (p. 149).

To address point 1) above, it must be decided how component failures are sampled. In traditional reliability theory (Billinton, 1992), historical failure data is used to obtain a so called mean time to failure (MTTF) for each type of component which can then be used to assess the probability of various failure events. As has been demonstrated (Johansson et al., 2013) this type of approach will tend to disregard large disturbance events. A reliability approach will therefore not be used here. An alternative to using MTTF values is to explicitly model hazards as is done for instance in (Ouyang & Wang, 2015). With information about susceptibility of various infrastructure components to the modelled hazard the infrastructure disturbance can be assessed. Here a hazard independent analysis is sought, not because this approach is considered superior but since it is seen as a useful complement to approaches that consider particular hazard types. Explicit modelling of hazards is therefore not performed since it will restrict the

20

analysis to only one type of hazard event. An alternative that is more promising for enabling a hazard independent analysis is vulnerability analysis, e.g. (Johansson et al., 2013), in which case all component failures are equally likely to be sampled in each scenario. Here vulnerability analysis is applied, since it fulfils both the requirement that analysis of large disturbance events should be possible and the requirement that the analysis should be hazard independent. Concerning point 2) and 3) in traditional reliability theory (Billinton, 1992) historical data about repair times is used to obtain so called mean time to repair (MTTR) values. These MTTR values are then used to determine when components will be repaired. Most of the data used for obtaining MTTR values will be from normal, single component failure events. During such events restoration resources are likely to be sufficient, assuming that the network operator is considering normal failure events when dimensioning the stock inventory. Repair is therefore not likely to be delayed due to lack of restoration resources. Conversely, in case of large disturbance events restoration resources are likely to be insufficient, and using MTTR values in this context may, for this reason, be misleading. Instead, to assess the restoration time, it is necessary to explicitly consider the available resources and how repair work on failed components is prioritized.

B. What resilience metrics are suitable for quantitative assessment of impact on performance of technical infrastructure network from system parameter changes given large disturbance events?

As was pointed out already concerning research question A the challenges of large disturbance events create an awareness of the need for system resilience, considering the great societal costs that follow with these events. The resilience concept has gained importance in research fields as diverse as engineering, biology and psychiatry, and it is generally used to convey the ability of a material, biotope or person to withstand sudden shocks (Boin et al., 2010, p. 7). Numerous metrics have been suggested for resilience quantification, see review by Hosseini et al. (2016). However, there appears to be a lack of metrics that consider the impact of system parameter changes on system performance. Qualitative resilience metrics of this type have been proposed (Woods, 2006) and have been applied in qualitative research (e.g. De Carvalho 2011, Mendonça 2015). The metrics have also been determined with a semi-quantitative method (Shirali et al., 2016) in which system operators assess their own performance on an ordinal scale. However, they have not, so far been applied in quantitative research. These metrics are likely to be especially relevant in the context of large disturbance events. As was pointed out previously prioritization rules and the level of available repair system resources are crucial factors in the recovery from large disturbance events, and metrics that can give insight into how changes in such parameters influence system performance are therefore likely to be valuable. Furthermore, the challenges of large disturbance events make qualitative metrics based on self-assessment from experts, such as those proposed by Shirali et al. (2016), difficult to apply. It is difficult for experts to imagine what can happen in the event of large disturbances especially considering that there are

21

few such events to base conclusions on. This makes quantitative metrics based on computer analysis valuable since here the different aspects relating to the above-mentioned challenges can be explicitly considered in computer simulations.

C. To what extent do present quality of supply regulations reflect the importance of electricity customers from a societal perspective?

This research question is formulated in response to challenge 5 (societal consequences). Linares & Rey (2013) distinguish between three different types of electricity outage consequences: direct economic, indirect economic and societal costs. Here the term societal consequence is used instead of societal costs to emphasize that no attempt is made here to assess this type of outage consequences in terms of monetary value. The direct and indirect costs of electricity outages have been the focus of much research, as is described in Van Der Welle & Van Der Zwaan (2007). However, there is still need for research concerning societal consequences of electricity outages. These types of consequences are particularly relevant to consider in the context of large disturbance events, since with the increasing extent of outages in time as well as space, the societal consequences are likely to be more adverse. At least in the context of electricity supply one major means of preventing outages is so called quality of supply regulations which specify penalties for DSOs in the event of outages. In this way an economic incentive is created for avoiding outages. For the quality of supply regulation to be beneficial the specified penalty should reflect the actual cost of the outage, if this is not the case the DSO will either over- or underinvest in avoiding outages. Some research has been performed concerning the linkage between quality of supply regulations and outage costs of electricity customers (Linares & Rey, 2013). However, no studies have, as far as the author is aware, been carried out that compare quality of supply regulations to the societal consequences of electricity outages. Especially in the context of large disturbance events it should be important to assure that penalties specified by quality of supply regulations reflect societal consequences of outages. In response to this research gap a case study is here performed in which the priorities regarding societal consequences stipulated by the Styrel system are contrasted against penalties stipulated by Swedish quality of supply regulations.

1.3 Delimitations

The main delimitations of the research work are the following:

1. Case studies are here only performed for electricity and IT networks. Although the developed method may have more general applicability within the domain of technical infrastructure networks this cannot be concluded from the research carried out.

2. Hazards are not modelled, instead a vulnerability approach is chosen, meaning that all component failures are sampled with equal probability. This means

22

that neither the probability nor the risk relating to failure events can be determined with the developed method.

3. In the research work in appended papers I-III a purely topological network model is used to represent the infrastructure network. This means that capacity limitations of network components are not considered. The motivation for using this type of model is that it is more suitable for application across several different types of technical infrastructure networks, than a model that is explicitly designed for considering network capacity. The validity of this model is discussed in more detail in section 3.1.

4. The developed method is used to assess to what extent different system modifications affect resilience. In doing this the actual costs or savings related to the system modifications are not considered. Therefore, no results are obtained concerning which type of modifications that are optimal from a cost perspective.

5. Infrastructure dependencies are not considered in the research work. Operators of the studied electricity network do not believe the repair system to be highly vulnerable with respect to disturbance of transport and telecom networks. However, if a rural, rather than an urban network had been studied, these dependencies would be greater. Concerning analysis of IT networks there is a dependence on electricity supply and cooling. Failures relating to such dependencies are not considered in the performed work but can be of interest to include in future work.

6. Resilience metrics that are developed in appended paper I for assessment of impact of parameter variation on system performance are only applied for repair system parameters. In future research it may be of interest to apply these metrics for evaluation of other system parameters, e.g. relating to the topology of the technical network.

7. When developing the simulation model, the primary aim has not been to write efficient code. If the tool is to be used for practical purposes in the industry it can be necessary to redo the coding to increase the computational efficiency.

1.4 Users of research results

The following actors may primarily benefit from the research presented here:

• Operators of electricity and IT networks can use the developed simulation model to assess the resilience of their systems, to identify scenarios for which system resilience is low, to make sure that a functional requirement (e.g. restoration within 24 hours) is fulfilled in a specified fraction of the simulated

23

scenarios, or to assess how system improvements of different kinds will influence system resilience.

• Regulatory agencies can benefit from being able to compare how regulations are steering network investments compared to what may be desired from a societal perspective.

• Operators of technical infrastructure networks, other than electricity and IT networks, may find the work to be of interest, considering that a possible area of future research is to assess the applicability of the developed methods for other types of technical infrastructure networks.

1.5 Research contributions

The work presented in this thesis has led to the following main research contributions:

• Development of a model for simulating restoration processes in electricity and IT networks following large disturbance events. In contrast to previous models, this model considers 1) many simultaneous failures, 2) prioritization of repairs, 3) levels of repair system resource and their variation over time and 4) it is applied for real life systems.

• Development of three resilience metrics, margin, sensitivity1 and 2, for quantitative resilience assessment of electricity networks.

• Demonstrating the restoration model to be useful for assessment of system improvement alternatives regarding the repair system.

• Evaluation of usefulness of the modelling approach through interviews with system operators.

• Contrasting quality of supply regulations against societal electricity outage consequences in a case study on a real life electricity network.

1.6 Publications

Papers included in compilation thesis I. Landegren, F., Johansson, J., & Samuelsson, O. (2016). A Method for

assessing margin and sensitivity of electricity networks with respect to repair system resources. IEEE Transactions on Smart Grid, Vol. 7, No. 6, pp. 2880-2889.

II. Landegren, F., Johansson, J. & Samuelsson, O., (2016). A hybrid model for assessing resilience of electricity networks. In 16th International Conference on Environment and Electrical Engineering (EEEIC), IEEE, Florence, Italy.

24

III. Landegren, F., Höst, M. & Möller, P. A simulation based method for assessing resilience of socio-technical IT networks. Submitted to an international journal.

IV. Landegren, F., Johansson, J. & Samuelsson, O., Comparing quality of supply regulation costs and societal electricity outage priorities: Case study in Sweden. Submitted to an international journal.

Other publications I. Landegren, F., Johansson, J., & Samuelsson, O. (2013). Review of computer

based methods for modelling and simulating critical infrastructures as socio-technical systems. In European Safety and Reliability Association Conference (ESREL), Amsterdam, Netherlands.

II. Landegren, F., Johansson, J., & Samuelsson, O. (2014). Comparing societal consequence measures of outages in electrical distribution systems. In European Safety and Reliability Association Conference (ESREL), Wroclaw, Poland.

III. Landegren, F. (2014). Critical Infrastructures as Socio-technical Systems: Applications to electricity distribution systems, Licentiate Thesis, Division of Industrial Electrical Engineering and Automation, Lund University, E-husets tryckeri, Lund, Sweden.

IV. Landegren, F. (2015) Tekniska infrastruktursystem – återställning och konsekvenser, i Slutrapport från Ramforskningsprogrammet PRIVAD – Program for Risk and Vulnerability Analysis Development, LUCRAM, Lunds universitet, pp. 14-23, In Swedish.

V. Landegren, F., Sulaman, S. M., Möller, P., Höst, M., & Johansson, J. (2016). A method for assessing resilience of socio-technical IT systems. In European Safety and Reliability Association Conference (ESREL), Glasgow, UK.

1.7 Outline of the thesis

In Chapter 2 background is provided to the research work. First concepts are presented that are crucial for the here presented research work: the critical infrastructure concept, the socio-technical systems concept and the three closely related concepts risk, vulnerability and resilience. Secondly a background is given to the systems that have been studied, electricity and IT networks. This includes an overview of the structure of the electricity network in Sweden, Swedish electricity regulations that are relevant for the research, a presentation of the structure and building blocks of IT networks and, finally, main approaches for analysis of restoration processes in technical infrastructure networks.

25

In Chapter 3 work is described that relates to papers I, II and III and research question A, i.e. assessment of how infrastructures can be designed to increase socio-technical system resilience. The model and its conceptual framework is briefly described. Results are exemplified that demonstrate its usefulness for answering the research question.

In Chapter 4 work is described that is related to paper I and research question B, i.e. work concerning resilience metrics that enable quantitative assessment of impact on performance of technical infrastructure networks from system parameter changes. Three resilience metrics are proposed and results concerning these metrics are demonstrated.

In Chapter 5 work is described that is related to appended paper IV and to research question C, i.e. to what extent that present quality of supply regulations reflect the societal consequences of electricity outages. A case study is described that concerns how electricity customers are weighted based on existing regulations and to what extent these weights agree with the priorities stipulated by Styrel.

In Chapter 6 the research questions of the thesis are discussed based on the results that have been presented in Chapters 3-5. In Chapter 7 conclusions from the work are given along with some thoughts about possibilities for future research. Finally, a summary is given for each of the appended papers and the authors contributions to the papers are described.

26

27

Chapter 2 Background

In the previous chapter the research work was introduced and motivated. In this chapter, some concepts that are of crucial importance for the research work are first presented. We begin with the CI concept since this provides the necessary basis for introducing the concept of technical infrastructure networks which is in focus in the thesis. In the consideration of restoration processes as well as societal consequences of infrastructure disturbances a socio-technical systems perspective is applied, and the STS concept is therefore introduced. The work is intended to be relevant in the context of vulnerability and resilience assessment of technical infrastructure networks and for this reason the three related concepts, risk vulnerability and resilience are introduced. In the latter part of the chapter an introduction is given to electricity and IT networks, which have been studied in the research work. Previous work concerning analysis of technical infrastructure network restoration processes is described as well.

2.1 Concepts and definitions

Critical infrastructures

In this thesis, the overarching aim is to advance analysis methods concerning large disturbance events in technical infrastructure networks. The concept of technical infrastructure networks is closely related to that of critical infrastructures (CI) and an introduction to infrastructures in general as well as to the CI concept is therefore needed. Edwards has suggested that the concept “’infrastructure’ is best defined negatively, as those systems without which contemporary societies cannot function” (Edwards, 2003, p. 3). Finger et al. (2005) provide a more explicit definition, proposing that infrastructures have three main characteristics in common. Firstly, they are based on physical networks, secondly traditional market oriented solutions are often not possible, and they therefore pose challenges to institutional governance and thirdly they are of significant economic and political importance and serve major social needs.

CIs can be viewed as a subset of infrastructures. In the US National Plan for Information Systems Protection CIs are defined in the following way: “those systems and assets – both physical and cyber – so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security, national economic security and/or national public health and safety” (White House, 2000, p. 186). Yusta

28

et al. (2011) suggest that “there is broad consensus in defining the critical infrastructure as the ones whose sudden unavailability may cause loss of life, serious or severe impact on health, safety or economy of citizens” (Yusta et al., 2011, p. 6102). We may then conclude that while all infrastructures have major importance from an economic, political or social perspective, the subset of infrastructures that are referred to as critical enable societal functions that are fundamental for national security, national economic security and/or national public health and safety.

The CI concept has been in use since the 1980s (Moteff & Parfomak, 2004, p. 4). During the mid-1990s international terrorism created an increasing awareness of the need to consider risks relating to CIs. As a result, in 1996 President Clinton signed Executive Order 13010, thereby setting up a list of prioritized infrastructure sectors, based on national importance. The following were identified as being critical infrastructures:

• electrical power systems;

• telecommunications;

• transportation;

• water supply systems;

• gas and oil storage and transportation;

• banking and finance;

• emergency services (including medical, police, fire and rescue) and

• continuity of government.

With time, the list of CIs has expanded and today the Department of Homeland Security (DHS) distinguish between 16 different CIs. In the EU, the European Programme for Critical Infrastructure Protection (EPCIP) has been established and concerns among other things the identification of critical infrastructure sectors.2

Technical infrastructure networks are the sub-set of infrastructure systems that are predominantly of a technical nature. Looking at the list of critical infrastructures above, items 1-5 can be referred to the set of technical infrastructure networks while items 6-8 are not technical infrastructure networks. The distinction is useful since analysis of these two groups are likely to require different methods and approaches. While it may be relatively straight forward to adopt the here presented work for other technical infrastructure networks, this is not likely to be the case for other non-technical infrastructure systems such as banking and finance or emergency services.

2https://ec.europa.eu/energy/en/topics/infrastructure/protection-critical-infrastructure, (2017-10-20)

29

Socio-technical systems

In the work that is done in this thesis a socio-technical systems (STS) perspective is applied, both to better understand infrastructure restoration and to enable assessment of societal consequences of infrastructure disturbances. An introduction to the STS concept is therefore needed. The STS concept was first introduced by researchers at the Tavistock Institute (Trist, 1980, p. 7). Trist who took part in this pioneering work, explains that he considered technology and society to be “intertwined in a complex web of mutual causality. In the language of E.A. Singer they were co-products of each other” (Trist, 1980, p. 13). Trist also argues that technological and organizational aspects of a STS should be jointly optimized (Trist, 1980, p. 24) if global sub-optimization is to be avoided. This joint optimization requires a STS perspective.

Which systems may then be classified as STSs? Ottens et al. (2006) provide an answer through making a distinction between three different types of engineering systems: “(1) engineering systems that perform their function without either actors or social institutions performing a sub-function within the system [e.g. the landing gear of an airplane], (2) engineering systems in which actors perform sub-functions but social institutions play no role [e.g. an airplane] and (3) engineering systems that need both actors and some social/institutional infrastructure to be in place in order to perform their function [e.g. an airport]” (Ottens et al., 2006, p. 134-135). Ottens et al. argue that the members of category (1) are purely technical systems, that members of category (2) may be termed human-technical systems and that members of category (3) are STSs. It is pointed out by Ottens et al. that most large infrastructure systems belong to the last category. One thing that sets STSs apart from systems in category (1) and (2) is that they cannot be designed or controlled in the same way. Kroes et al. (2006) suggests that: “At the socio-technical level many stakeholders are involved that all have their own goals and visions, and normally none of these actors can impose their decisions on the other actors. For this reason, STSs cannot be designed, made and controlled from some central point of view, as for instance a car. Instead the STS is continuously being redesigned by many actors from within the system” (Kroes et al., 2006, p. 813).

A STS perspective may prove useful in the context of risk and vulnerability assessment regarding infrastructure systems. The approach may enable identification of risks and vulnerabilities that exist not in the organizational or the technical domain itself but in the interaction of these two domains. De Bruijne & van Eeten (2007, p. 4) points to one such example, arguing that “while our CIs have become more complex and interconnected, the management of these CIs has become increasingly institutionally fragmented” (De Bruijne & vad Eeten, 2007, p. 4). In this thesis infrastructure systems are viewed from a STS perspective in the sense that the infrastructure network is not considered in isolation. Instead its dependence on the repair system as well as its impact on the society are explicitly considered (see Figure 2.1).

30

Figure 2.1. A STS consisting of repair system (left) maintaining and restoring a technical network (middle) which supplies infrastructure services to customers (right).

The advantages of employing a socio-technical approach when analysing restoration processes following large disturbance events have been demonstrated by several researchers. The influence of technical as well as non-technical system parameters can be evaluated concerning their impact on system resilience. On this line Ouyang & Wang (2015) and Ouyang et al. (2012) considers parameters relating to restoration prioritization, protection of network components and resource arrival rate. Similarly, Vugrin et al. (2014) assess system resilience given two different levels of available spare parts. The work of Park et al. and Hwang et al. shows that hybrid models may allow us to complement the detail of discrete event simulation with the non-linear and complex behaviour of system dynamics models. In general, they demonstrate that a STS perspective may alter the result obtained through simpler models, in some cases showing the simple model to give overly optimistic results.

Risk, vulnerability & resilience

The overarching aim of this thesis is to advance analysis methods concerning large disturbance events in technical infrastructure networks. This topic touches upon the concepts risk, vulnerability and resilience. In this thesis risks are not investigated, while infrastructure vulnerability and resilience on the other hand are. However, since these concepts are closely related, with the risk concept providing a necessary back-ground to the latter two, they are all introduced in this section.

Risk has been defined in several ways, e.g. the probability of an adverse outcome, the variability of the outcome and the product of the probability and the degree of an adverse outcome (Grimvall et al., 2003, p. 16-17). Kaplan and Garrick (1981) have suggested a risk definition that has become very influential, according to which risk

NetworkRepair Customer

Technical system

Socio-technical system

31

assessments consist in answering three questions: what can happen, how likely is it and what are the consequences? Risk can accordingly be formally described as follows: = < , , > (2.1)

Where is a given scenario, is the probability of the scenario and is the consequence of the scenario. The curly brackets, , indicate a set including all scenarios, to , with their individual probabilities and consequences. To obtain a true assessment of three requirements must be fulfilled (Hassel, 2010, p. 31): 1) scenarios should be disjoint, meaning that they should not overlap, 2) the set of scenarios should be complete, meaning that all scenarios should be considered although not necessarily in detail and 3) for the assessment to be feasible the number of scenarios must be finite. In relatively uncomplicated situations, as for instance when assessing the risk of losing when playing the roulette, it may be possible to fulfil all three requirements. However, it is safe to say that when analysing any moderately complex system, it will not be possible to fulfil all three conditions. Under such circumstances only approximations of can be obtained. For risk analysis to provide basis for action we must decide on the relative importance of probability and consequence as determinants of risk. Kasperson et al. (1988) point out that this is not easy. It could seem self-evident that we should be indifferent towards a high-probability/low-consequence risk (for instance causing one death per year) and a low-probability/high-consequence risk (causing one thousand deaths every thousand years). In fact, people generally prefer the former. If this general preference is to be given consideration this will give further ground for counteracting large disturbance events, since these events are in fact experienced as more adverse than would seem to be the case when judging from the number of people affected over time, or other quantitative risk indicators.

As suggested by Hassel (2010) and Johansson (2010) we can define vulnerability similarly to how Kaplan and Garrick define risk, i.e. by answering three questions: given a specific perturbation to the system what can happen, how likely is it given the perturbation and what are the consequences? Vulnerability can then be formally defined as follows (Hassel, 2010, p. 37): = < , , > : ∈ (2.2)

Where is the vulnerability of a system to a perturbation , and denotes the set of scenarios that can result from the perturbation . The scenarios considered when determining all belong to , i.e. is a scenario that can occur given the perturbation , denotes the probability of this scenario occurring given the perturbation and denotes the consequence of the scenario. The three requirements that apply for risk assessments, need to be fulfilled also for vulnerability analyses, i.e. the set of scenarios must be disjoint, complete and finite if is to be assessed completely. As is the case for risk analysis the result of a vulnerability analysis will in

32

practice only approximate given that sufficiently complex systems are analysed. From the above definitions of risk and vulnerability we can see that risk analysis can be subdivided into two parts: threat analysis, concerned with identifying and assessing the probability of perturbations, and on the other hand vulnerability analysis, concerned with assessing the consequences of perturbations. Consequently, two main risk reduction strategies can be distinguished: 1) preventing perturbations from happening and 2) reducing the vulnerability of the system to perturbations. An advantage concerning the second strategy is that in many cases the number of perturbations that a system is exposed to is too great to make prevention strategies practicable. In this case a more generic approach is desirable, which may be provided by the vulnerability analysis since it can point to general weaknesses of a system that could, potentially, be exploited by multiple types of perturbations. The definition of vulnerability suggested by Johansson and Hassel is applicable for all kinds of systems. A definition of vulnerability which is specifically adapted for network analysis can be obtained based on Li et al. (2008) who suggest that “robustness refers to the malfunction avoiding ability of a network when a fraction of its constituents are damaged” (Li et al., 2008, p. 101). Vulnerability can then be defined as the lack of robustness, i.e. a vulnerable system is likely to malfunction when a fraction of its constituents are damaged.

The resilience concept has been introduced in the system safety research field as a counterweight to a perceived overemphasis on risk prevention (Boin et al., 2010, p. 7). It is based on a critique against so called anticipation strategies. Anticipation strategies hinge on the belief that we can foretell what will happen and build defences. Such anticipatory strategies are dominating work concerning protection of CIs (De Bruijne & Van Eeten, 2007, p. 11). Wildavsky (1988) suggests that the problem with relying on anticipation is that much resources are spent on specific defences. In contrast, Wildavsky puts emphasis on so called generalizable resources. While a specific defence, for instance a flood protection system, will only be of use if the anticipated threat materializes, in this case a flood, generalizable resources are useful in many foreseeable and unforeseeable hazard events. Examples of generalizable resources are organizational capacity, wealth, knowledge, communication and energy. Resilience should not be seen as the single solution, rather it is a useful complement to anticipation strategies, and the right question to ask is how the right balance can be found between these two strategies (De Bruijne & Van Eeten, 2007). McDaniels et al. (2008) propose a formal definition of resilience. A system is said to be resilient if it is robust (retains a high degree of system function in case of a disturbance), and/or recovers its functionality quickly following a disturbance. The latter quality is referred to as rapidity. In Figure 2.2 the two dimensions of resilience, as understood by McDaniels, are illustrated.

33

Figure 2.2. Resilience curve for a system affected by strain (Wilhelmsson & Johansson, 2009, p. 3).

In this thesis, the understanding of the resilience concept is more in line with the work of McDaniels et al. than with Wildavsky. Resilience here refers to characteristics of a system following a disturbance of some kind, and is seen in low initial loss or a quick recovery of system functionality. However, Wildavskys understanding of resilience strategies is similar to the hazard independent approach pursued in this thesis. In Wildavskys own words it is here an ambition to assess general ability of systems to withstand disturbances rather than to assess and create defences for specific threats.

2.2 Electricity and IT networks

In this section an introduction is given to the systems that have been studied. An overview is first given concerning the Swedish power system, to provide some context to the electricity distribution system that is studied in appended papers I, II and IV. Then follows a description of Swedish power system regulations. These regulations are of interest here since they are used in the studies of electricity outage consequences of appended paper IV. Then the structure and components of IT networks are briefly presented since IT networks are studied in appended paper III. Finally, some background is given to analysis of technical infrastructure network restoration processes, since this is the topic of appended papers I, II and III.

Overview of the Swedish power system

In Sweden as well as in other parts of the world, the power system is traditionally divided into three main parts: generation, transmission and distribution (Figure 2.3). In the generation sub-system primary energy sources are converted to electrical energy, typically involving turbines and synchronous generators. Step-up transformers are then used to raise the voltage to the level used in the transmission system. The transmission

Syst

em fu

nctio

nalit

y

Rapidity

Robustness

Time

34

system can be further divided into the extra high-voltage (EHV) system, with a voltage level above 300 kV, and the high-voltage (HV) system, with a voltage level ranging from 36-300 kV (Lakervi & Holmes, 1995, p. 10). EHV and HV systems are used since they reduce power losses. Thanks to these systems electrical power can be transmitted across countries and even continents.

In Sweden, the distribution system is subdivided into the medium voltage (MV) system, with a voltage level between 1 and 36 kV, and the low voltage (LV) system with a voltage below 1 kV. There are approximately 170 network operators in Sweden, each having a monopoly within one or more geographical regions (Ei, 2015). The part of the overall power system that is considered in the here presented research work stretches from the transformers supplying the medium voltage system to the transformers supplied by the medium voltage system.

Figure 2.3. General schematic of the power system (Lakervi & Holmes, 1995, p. 10).

Power system regulations in Sweden

In Sweden the electric energy market is entirely open, the electricity distribution market, on the other hand, is a natural monopoly. The reason for allowing monopolies is that it is considered a waste of resources to develop parallel electricity networks owned by competing network operators. Since competition on a free market cannot be relied

~

~

consumption

consumption

generation

generation

EHV>300 kV

HV36 - 300 kV

MV1 - 36 kV

LV<1 kV

Studied here

35

upon for assuring quality of supply and low network vulnerability regulations are needed (Ei, 2015, p. 10). In the following two Swedish quality of supply regulations are presented, which are both intended to drive network operators to achieve an appropriate level of quality of supply. In addition, the Styrel system, a Swedish regulation which is intended to reduce adverse consequences of outages, is introduced. The reason for introducing these three regulations is that they have been used in the research work concerning quantification of electricity outage consequences, which is described in Chapter 5.

The revenue frame regulation (RFR) The Swedish Energy Markets Inspectorate is responsible for the revenue frame regulation (RFR). The revenue frame decides limits concerning how much network operators may charge their customers, and thereby counteracts the monopolistic position of the network operators. The revenue frame is decided for a four-year period at a time. At present, we are in the 2016-2019 period, in which a revenue frame has been decided individually for each of the approximately 170 network operators in Sweden. The allowed revenue of the DSO is determined based on an assessment of the costs of the company, so that the revenue will cover these costs and give a reasonable profit. Subtractions are made from the allowed revenue based on the performance of the DSO in terms of quality of supply. In the present period of the RFR customer outages are for the first time weighted based on customer category. In this way subtractions from the DSOs revenue, due to outages, will reflect the actual costs due to the outages more closely. Equation 2.8 describes how outage cost for a customer is assessed in the RFR. = ∗ + ∗ ∗ (2.8)

denotes yearly mean power consumption and denotes the outage duration. and varies depending on customer category as is described in Table 1. The data in the

table is based on a Swedish survey concerning costs of electricity outages for five different customer categories. The survey included close to 2000 customers (Carlsson & Martinsson, 2006) and was updated in (Ei, 2015).

Table 1. Cost of power not supplied ( ) and cost of energy not supplied ( ) for five customer classes according to the Swedish RFR (Ei, 2015, p. 27).

Customer category Cp (SEK/kW) Ce (SEK/kWh)

Commercial service 62 148

Industry 23 71

Agriculture 8 44

Public service 5 39

Household 1 2

36

The RFR applies for all notified outages as well as non-notified outages shorter than 12 hours. For non-notified outages longer than 12 hours another quality of supply regulation applies, which is described below.

Outage compensation regulation (OCR) The RFR creates an incentive for DSOs to reduce the number of outages below 12 hours in duration. Outage compensation is instead creating an incentive for DSOs to avoid outages of longer duration. The compensation that is paid to the customer starts at 12.5% of the customers yearly network tariff, or a minimum of 2% of price base amount for an outage lasting 12-24 hours. It then increases with 25% of the network tariff, or a minimum of 2% of price base amount, with every new 24-hour period of outage that is begun and finally, after 12 days of outage a maximum penalty of 300% of the yearly tariff or 26% of price base amount is reached. In work on quantification of societal consequences of electricity outages that is described in Chapter 5 RFR and OCR are used as two indicators of societal consequences of outages. The third indicator that is considered is the Styrel system which is described below.

Styrel Styrel has been developed through a cooperation between the Swedish Energy Agency, the Swedish National Grid and the Swedish Civil Contingencies Agency. The system is supposed to be used in the event of power shortage to prioritize customers based on their societal importance. To achieve this, customers are grouped into eight overall priority classes and each customer is also given a number of points (see Table 2). The process of determining these priorities and points involves national, county as well as municipal levels of government. In this process, any actor may increase the priority level of a customer, but not lower it, relative to what has been recommended by other actors (Energimyndigheten, 2015). In the municipality that was studied in the here presented work the electricity supply to customers is prioritized according to the following rules:

1. The overall number of non-supplied customers with priority 1 should be minimized

2. The sum of points for all non-supplied customers with priority 2 or less should be minimized

3. Rule 1. has precedence over rule 2.

37

Table 2. Customer categories as defined in Styrel (The number of points given to customers is in most, but not all cases, in accordance with below).

Priority class

Point Power customer

1 7 Customers that in a short time span (hours) have a large impact on life and health

2 6 Customers that in a short time span (hours) have a large impact on the functionality of society

3 5 Customers that in a longer time span (days) have a large impact on life and health

4 4 Customers that in a longer time span (days) have a large impact on the functionality of society

5 3 Customers that represent large economic values

6 2 Customers that have a major importance for the environment

7 1 Customers that have importance for societal and cultural values

8 0 Other customers

IT networks

Figure 2.4 gives an overview to the structure of IT networks. At the top of the image is internet, depicted as a cloud. In the middle of the image is the core IT network. This could represent a portion of the internet or the IT network of an organization. Typically, the core network consists of high performance routers connected by means of high volume optical links. The part of the IT network that is studied in the here presented work lies between the edge/aggregate router and the access switch connecting to work stations. Switches keep records of MAC addresses of all the devices that are connected to it. Using this information, the switches can identify which system that is sitting on which port. When data is received, the switches know exactly which port to send it to, and network response time is therefore not increased.3

The task of the router is to route packets of data to other networks until the packet ultimately reaches its destination. This is made possible by the fact that each packet of data carries its own destination address. A router is normally connected to at least two networks and they act as gateways. The best way for forwarding the packet is determined based on headers and forwarding tables. Routers also communicate with each other to configure the best route between hosts.3

A firewall is a network security system which is intended to prevent unauthorized access to or from a private network. Firewalls can be both in hardware or software, or a combination of both. All messages that enter or leave the protected intranet pass through the firewall and are examined. The firewall blocks all messages that do not meet the specified security criteria.4

3http://www.webopedia.com/DidYouKnow/Hardware_Software/router_switch_hub.asp, (2017-10-20) 4 http://www.webopedia.com/TERM/F/firewall.html (2017-10-20)

38

Figure 2.4. Illustration of IT network, adapted from Stallings (2014, p. 53).

Assessment of restoration time of infrastructure systems

The research work concern restoration of technical infrastructure networks following large disturbance events. Therefore, approaches for assessment of infrastructure restoration time are briefly reviewed with particular focus on the simulation approach, since this is used in the research work. Five main approaches can be distinguished that have been used for assessment of restoration time for infrastructure systems (see reviews by Liu et al. (2007) and Tabuchi et al. (2010)). They are:

Empirical curve fitting, recovery curves are fitted based on data from past outage events and/or expert opinion

Deterministic resource constraints, the restoration process is represented in a simplified manner by means of a set of differential equations and rules

Markov process approach, the restoration process is represented by means of a markov model, in which state transitions represent occurrence of failures or repairs

Statistical regression, regression models are used to predict the duration of each probable outage and restoration curves are then obtained by aggregating these predicted outage durations

Internet

Core router

Edge/aggregate router

Router

Router with firewall

Switch

Work station

Studied here

39

Simulation, with this approach the restoration process is explicitly represented, possibly in high detail The simulation approach makes it possible to analyse the infrastructure as a socio-technical system, in the sense that technical as well as organizational sub-systems are explicitly considered. The advantage of employing socio-technical approaches for assessing infrastructure restoration processes have been demonstrated by several researchers (see e.g. Park et al., 2014; Ramachandran et al., 2015; Ouyang & Wang, 2015; Hwang et al., 2016). In general, the advantage of employing a simulation approach within this research area is that we can explicitly consider and assess influence of organizational as well as technical system parameters on system performance. Among the organizational system parameters, we find for instance the number of available repair personnel and restoration prioritization rules, while among the technical system parameters we find aspects such as infrastructure network topology and amount of spare parts.

40

41

Chapter 3 Modelling technical infrastructure networks to enable assessment of socio-technical system resilience

In the previous chapter background concerning important concepts and the studied systems were presented. In this chapter work is presented that relates to appended papers I-III and to the first research question of the thesis, namely how technical infrastructure networks can be individually modelled to enable exploration of the resilience of the overall socio-technical system with respect to large disturbance events.

In the here presented work the simulation approach, introduced in section 2.2, has been used for assessing restoration time. The main reason for why this approach was selected is that it makes it possible to consider the repair system as well as the technical network in more detail and to see how these systems change over time as the restoration process progresses. This provides advantages concerning three aspects that are especially relevant in the analysis of large disturbance events: 1) possibly large number of simultaneous component failures, 2) prioritization rules used by the DSO to decide order of repair and 3) consideration of available restoration resources over time including the possibility to receive resources from other electricity network operators. When failures in the network as well as restoration resources are explicitly considered, as is possible when performing simulation, we may, for instance, find that resource limitations produce bottleneck effects when sufficiently high strains are simulated. When repair order is explicitly considered this will also affect the result since the priority order will determine where the limited restoration resources are put into use.

In general, the simulation approach makes it possible to analyse the infrastructure as a socio-technical system, in the sense that technical as well as organizational sub-systems are explicitly considered. Previous research on simulation of infrastructure restoration processes which consider infrastructures as socio-technical systems demonstrate many positive features. However, there are still gaps left to consider. In the previous research the repair system is often simplified, in the sense that only one type of resource is considered and that resource arrival rates are assumed to be constant over time (e.g. Ouyang & Dueñas-Osorio 2014, Ouyang & Wang 2015). The assessed scenarios are also very specific (e.g. Ouyang & Dueñas-Osorio 2014, Vugrin et al. 2014, Ouyang & Wang 2015, Ramachandran et al. 2015), thus raising the question to what extent the

42

results mirror a more general resilience of the assessed system. The model presented by Vugrin et al. (2014) considers many different resources, however, the model is demonstrated for a simplified test system and in the case study only one disturbance scenario is considered. In some papers experimentation is performed with decision variables (Ouyang & Dueñas-Osorio 2014, Ouyang & Wang 2015, Vugrin et al. 2014). However, this experimentation is restricted to only two or three values of each parameter.

To address the above-mentioned gaps, it should be of interest to consider many repair resources as well as their non-continuous arrivals over time, in the future development of socio-technical models. Furthermore, it should be of interest to apply the models to real life systems and to use many sampled failure scenarios to give a more complete overview of the resilience of the system. Also, while socio-technical models have previously been used for experimenting with model parameters this experimentation has been limited to few parameter values. When increasing the number of system parameter combinations that are assessed a more detailed understanding can be gained concerning the influence of system parameters on resilience. The here presented work considers the above-mentioned aspects. In the two following sections network modelling and agent based modelling (ABM) are described to provide an understanding of the model that has been developed. Detailed information about the simulation model is found in appended papers I-III.

3.1 Network modelling

In the work, a purely topological network model is used to represent the technical infrastructure network, meaning that network capacity is not considered. The details concerning the representation of the technical network can be found in appended papers I-III. The main advantage as well as drawback of this topological network model is that it leaves out all except the most fundamental of the systems properties. This may be an advantage, considering that the computational burden of running simulations is decreased to the extent that system complexity is abstracted away, while conversely it is a disadvantage if a more detailed system description is needed. In the research work presented here the ability of the purely topological network model to reduce simulation time is a valuable characteristic since it enables simulation of a larger number of failure scenarios. This is related to the requirement of the developed simulation model, that it should enable assessment of many simultaneous failures. Large strain levels imply combinatorial explosions where the number of possible scenarios quickly grows beyond reach. In this context, it is valuable that more simulations can be run within the same time span, meaning that larger portions of the total scenario space can be covered. A further motivation for using a purely topological model is that this type of model is more easily applied across several different types of technical infrastructure networks. To test the validity of the topological model for representing the studied electricity

43

network a comparison was made against a model that considers infeed transformer capacity. Results were in complete agreement for normal load condition (yearly average load is assumed for all customers) as well as for high load condition (two times yearly average load is assumed for all customers). For extreme load (three times yearly average load is assumed for all customers) there are large disagreements between the models for some scenarios.

3.2 Agent based modelling

The simulation model developed in this thesis has one sub-model for representing technical infrastructure networks and one sub-model for representing the repair system. The latter has been developed with inspiration from ABM, which is introduced in this section. ABM has grown out of John von Neumanns work on cellular machines during the 1940s. The agent, which is at the core of every ABM, can be described as autonomous, acting according to simple rules, interdependent and adaptive. One often testified advantage of the modelling approach (e.g. Smith et al. 2007, Bonabeau 2002) is its ability to generate emergent behaviour, a phenomenon which Epstein (2006) describes with the following words: “We get macro-surprises despite complete micro-level knowledge” (Epstein, 2006, p. 21). ABMs are most suited for analysis of situations where there is a lack of central coordination. ABM is a frequently used approach for computer based analysis of socio-technical systems (Landegren et al., 2013) which makes it interesting for analysing infrastructures as socio-technical systems.

In the present work ABM is an inspiration when developing the model describing the repair system. The developed repair system model may, however, best be described as a mix between a queue system model and an ABM. The repairers around which this model is centred do fulfil some of the characteristics of agents of an ABM. They are acting in accordance with simple rules and they are to some extent interdependent. As with other ABMs an advantage of the developed repair system model is that it allows us to set component level parameters, e.g. the repair times and resources requirements of repair jobs or the amount of available resources of various kinds, and to see how these parameter values affect behaviour at a system level in terms of restoration time. This is at least reminiscent of what is referred to as emergent phenomena in ABM.

3.3 Assessing socio-technical system resilience

Figure 3.1 describes the hybrid model used in the research work. The model is described in detail in appended papers I-III. The model was implemented in Matlab® version 2016a. The model is used for simulating restoration processes following disturbances in electricity and IT networks. These can be referred to as Monte Carlo simulations since several important model variables are stochastic, including the set of failed

44

components, failure mode and repair time of components. Below it is demonstrated how resilience of socio-technical systems can be assessed with the developed model.

Figure 3.1. Image describing the hybrid model used in the research, here as applied for the studied electricity distribution network.

In Figure 3.2 system resilience is shown as a function of level of strain for five different study cases: SCADA system with A: repairers working only during office hours, and B: 24/7 work hours, electricity network with C: 12-hour and D: 24-hour resource delivery time and E: IT network of a municipality. These studies are described in full in appended papers I-III. The strain ranges from N-1 up to N-12, where N-k denotes the failure of k components in a technical infrastructure network with N components. Resilience is quantified as the energy not supplied (for the electricity network) and as the user hours of service not supplied due to the outage (for the IT networks). This value is further normalized through division with overall power demand (for the electricity network) and overall number of customers (for the IT networks). This resilience metric is known as resilience loss and in the next chapter, that concerns quantitative resilience metrics, it is formally defined in equation 4.4. The mean and median, indicated with dotted and dash-dot line respectively, give an indication of what to expect in case of strain of various sizes while the percentiles give an indication of the variability in the outcome, since 90% of the sampled scenarios are located within these two bounds. Results of this type may be used by system operators to gain an understanding of how well their system is performing given various levels of network strain. The result can also be used for assessing how adaptation of repair systems will affect overall resilience of the socio-technical system. In this case we see that case A has a much poorer performance than all other cases. This illustrates the advantage of having a 24/7 agreement, which exists in cases B-E but not in case A. It can also be seen that there is almost no difference between the results for cases C and D. In other words, getting additional resources after 12 rather than 24 hours will have almost no impact on system resilience. The reason for why resource arrival time has such little impact on

45

resilience loss is that the systems present levels of resources are high, meaning that additional resources prove advantageous only in a small minority of the simulated scenarios.

Figure 3.2. Mean (dotted line), median (dash-dot line), 5 and 95%-percentiles (dashed lines) of resilience loss as a function of level of strain. Results are shown for five different cases: SCADA system with A: normal work hours, and B: 24/7 work hours, electricity network with C: 12-hour, D: 24-hour resource delivery time and E: municipality. Note the different vertical scales.

In the results shown in Figure 3.2 system parameter variation is binary, i.e. two different cases are explored for the SCADA system (office or 24/7 work hours) and for the electricity network (arrival of external resources after 12 or 24 hours). However, the simulation model can also be used to explore larger parameter spaces thereby giving a more detailed information concerning how decision variables are impacting on system performance. This type of analysis is performed for the electricity network in appended paper I concerning several repair system resources. In Figure 3.3 we see how average

46

rapidity changes with variation in backup power units and excavators and for what resource conditions that a safety requirement (restoration within 24 hours in at least 95% of the simulated scenarios) is fulfilled. The result shows to what extent that resources may be decreased without causing large increases in average rapidity. It can be seen that if external resources arrive after 12 rather than 24 hours decreases in internal resources will not have as much impact on the system performance. As is demonstrated in Figure 3.2 under present resource condition system resilience is impacted to a very small extent by the time point at which external resources arrive. Advantages of early arrival of external resources start to show up only when the system moves away from the present resource condition. This type of result can be valuable input when deciding on level of restoration resources or what ambition to have concerning the speed of arrival of additional resources. The results point at two different strategies for achieving resilience of the socio-technical system. One is to have high levels of resources inhouse, in which case dependence on external resources is low, another option is to cut down on internal resources and accept a reliance on external resources. The latter strategy is likely to be attractive from an economic perspective since it makes it possible for DSOs to share the cost of repair system resources but it also requires that quick arrival of external resources can be assured. This is an example of how decisions concerning infrastructure system design can be made based on the obtained results to achieve a high level of resilience of the socio-technical system.

47

Figure 3.3. Mean restoration time for strain levels N-1, N-6 and N-12 and various levels of repair teams and backup power units. White/grey bar colour indicates that the safety requirement is/is not fulfilled. Results are for electricity network with 12- (left) and 24-hour resource delivery time (right). Black dot indicates present position of the system.

48

49

Chapter 4 Resilience metrics for quantitative assessment of impact on system performance from parameter variation

In the previous chapter work was described that relates to the first research question of this thesis namely how the repair systems of electricity and IT networks can be adjusted to improve the resilience of the overall socio-technical system. First, in this chapter a more detailed view of quantitative resilience metrics, than what was given in section 2.1, is provided. Work is then described that relates to appended paper I and to the second research question of this thesis, which concerns the development of resilience metrics that enable quantitative assessment of impact on performance of technical infrastructure network from system parameter changes given large disturbance events. Three resilience metrics that have been developed in the research work are presented and results concerning these resilience metrics are exemplified.

Numerous metrics have been proposed for quantitative resilience assessment of engineering systems; for an overview see Hosseini et al. (2016). McDaniels et al. (2008) define a system as being resilient if it is robust and/or recovers its functionality quickly, the latter being referred to as rapidity. Following Zobel (2011), robustness ( ) and rapidity ( ) can be formally defined as follows: = 1 − ( ) (4.1) = − (4.2)

Where ( ) denotes the level of quality of the infrastructure service at time , which is immediately following the disturbance and denotes the time point at which the system is fully recovered. Chang & Shinozuka (2004) propose metrics which are similar to robustness and rapidity although understood in a probabilistic sense. Resilience is defined as the probability that the initial performance loss as well as the recovery time are within maximum allowed limits. This is expressed in mathematical formula as follows: = ( | ) = ( < ∗ < ∗) (4.3)

50

Where denotes probability, is the set of performance standards, denotes a level of disturbance, denotes actual performance loss, ∗ denotes maximum allowed performance loss, denotes actual recovery time and ∗ denotes maximum allowed recovery time. The robustness and rapidity metrics, as proposed by McDaniels et al., Zobel and Chang & Shinozuka give a basic and rough understanding of system resilience. The fact that the robustness and rapidity metrics give only a rough understanding of actual system resilience is illustrated in Figure 4.1 where three different recovery curves are shown. The robustness and rapidity are identical for these three curves, nonetheless it is seen that R1 is best, R2 intermediate and R3 worst from a resilience perspective and that the difference in resilience is significant. The cause for these discrepancies is that robustness and rapidity are only considering the initial and end states of the restoration process, while intermediate states do not influence the result. This demonstrates that other metrics besides robustness and rapidity are needed for enabling a more precise understanding of actual system resilience.

Figure 4.1. Three recovery curves, R1, R2 and R3, all giving identical robustness and rapidity values.

Bruneau et al. (2003) have proposed the concept resilience loss which measures the total loss in system quality due to a disturbance event. Resilience loss is quantified with the following formula:

= [1 − ( )] (4.4)

Where and as before respectively denote the time point at which a disturbance happens and the time point of recovery and ( ) denotes the quality of the system at time given as a ratio of nominal quality. Looking at Figure 4.1 it can be seen that the resilience loss metric is indeed able to capture the difference in resilience performance

R1

R2

R3

Syst

em fu

nctio

nalit

y

Rapidity

Robustness

Time

51

of the three recovery curves that eludes us when only robustness and rapidity are considered.

Ouyang et al. (2012) propose the annual resilience ( ) metric. The main difference between and is that concerns only one specific disturbance. instead gives an indication of overall resilience behaviour over a longer time period possibly including multiple disturbances. is measured as the ratio between the area bounded by the actual performance curve ( )and the time axis and the area between the target performance curve ( ) and the time axis. This is expressed with the following formula: = ( )( ) (4.5)

Where denotes the annual resilience, denotes expectation, denotes the time duration over which resilience is assessed, which is assumed to be a year by Ouyang et al. (2012). In Figure 4.2 the metric is illustrated. We could imagine two different systems that are equally degraded when disrupted, however, one system is disrupted ten times per year while the other is disrupted only once per year. These two systems would perform equally well in terms of but there would be a significant difference in terms of .

Figure 4.2. Actual (light grey) and desired (dark grey) system function over time.

Previously mentioned metrics are all related to disturbances of system services. However, in all decision making concerning what level of resilience to strive for monetary considerations are likely to be decisive. The task for the decision maker is to weigh two types of costs against each other: costs related to system outage and costs related to resilience improvement. The decision maker will seek to find the solution for which the sum of these two costs is at a minimum. Vugrin et al. (2011) have proposed three metrics which are useful in this context. System impact ( ) measures the cumulative consequences resulting from an outage. Load not delivered is converted into monetary terms as the utility’s lost revenue. The second metric is total recovery effort

52

( ) which consists in the cumulative costs of resources expended during the recovery process. Resources may include labour, equipment and other. Finally, the recovery dependent resilience ( ) index is suggested for assessing overall system resilience based on and . It sums up the costs of an and normalizes through division with overall revenue. Other resilience metrics are based on network theory metrics. Along this line Omer et al. (2014) propose a metric based on the change in ratio of the closeness centrality of the network between before and after disturbance. System resilience can also be broken down into multiple sub-tasks that must be carried out. Wang et al. (2010) suggest a resilience metric which considers the relative completion times, demands for and weights of all such tasks. Previously mentioned metrics have all been concerned with the resilience of the system as a whole. However, it can also be of interest to assess which system components that are having greatest impact on resilience. Barker et al. (2013) have suggested two such metrics, which they refer to as resilience based component importance measures (CIMs). They are intended to be used for identifying the primary contributors to network resilience. The first metric is concerned with the vulnerability of the network and assesses the improvement in network resilience that is obtained if a given component is invulnerable. The second metric quantifies the proportion of restoration time that is attributed to a given component compared to other components in the network. In the research work concerning infrastructure resilience, presented in appended papers I-III, only three out of the above-mentioned resilience metrics are considered and several aspects are therefore by necessity missed, as is also pointed out in section 1.3. The systems behaviour is captured once a perturbation occurs, but not the probability of perturbations which is included in the metric proposed by Ouyang et al. (2012). Also, cost of outages or of resilience improvement efforts are not considered meaning that no results can be obtained concerning what system design that is optimal from a cost perspective, along the lines suggested by Vugrin et al. (2011). Similarly, no analysis is performed concerning which network sub-components that are contributing most to lack in resilience along the lines suggested by Barker et al. (2013).

The above review of quantitative resilience metrics demonstrates that many alternative metrics are available for quantifying resilience. However, among the quantitative resilience metrics that are applicable for engineering systems there appears to be a lack of metrics which give insight into how system performance is affected by system parameter changes. Engineering systems could be assessed as highly resilient based on the previously mentioned metrics while minor changes in system parameter values would cause major changes in system resilience. While the previously employed resilience metrics are without doubt useful for understanding many aspects of resilience of engineered systems it appears that there is a need for some complementary metrics, which give insight into the possible impact of system parameter changes. Woods (2006) suggests two concepts which could be useful in this context, margin and tolerance. The concepts are described in the following words: ”Margin: how closely or how

53

precariously the system is currently operating relative to one or another kind of performance boundary […] Tolerance: how a system behaves near a boundary – whether the system gracefully degrades as stress/pressure increases or collapses quickly when pressure exceeds adaptive capacity” (Woods, p. 23). Woods concepts have been used in qualitative research about critical infrastructure resilience (e.g. De Carvalho 2011, Mendonça, 2015). They have also been assessed with a semi-quantitative method (Shirali et al., 2016) in which case system operators assess their own performance regarding many different tasks on a performance scale based on which nine overall resilience indicators, among others margin and tolerance, are then obtained. However, margin and tolerance have so far not been demonstrated to be useful as quantitative resilience metrics. As interpreted here, margin and tolerance concern how the system’s ability to cope with disturbances changes as system parameters are varied. Safety is also crucial for understanding these properties. Safety can of cause be defined in many ways, based on many metrics. Here safety is however defined in relation to the rapidity metric. This is in line with Swedish regulations, since it is demanded by law that electricity supply should be restored within 24 hours. In other words, rapidity must not exceed 24 hours. The safety requirement is here defined as follows: = ( < ) > (4.6)

Where denotes probability, is rapidity as defined in equation 2.4, is a specified time limit, here set to 24 hours to reflect Swedish legislation stating that power supply should be restored within 24 hours and denotes a specified probability limit, set to 0.95 in the performed work since regardless of resource investments a perfect fulfilment of the function requirement is not achieved. Here the term sensitivity is used instead of tolerance, used by Woods, since results then have the unit h rather h−1, and are therefore more easily understood. The sensitivity concept that corresponds to tolerance as suggested by Woods is here termed sensitivity1. It concerns the way that the system reacts as it moves across the safety boundary. In addition, another sensitivity concept, sensitivity2, is here proposed which concerns how the system reacts as it moves to the vicinity of the safety boundary. The three resilience metrics are here formally defined as follows:

Margin: = ( + )/ (4.7)

Sensitivity1: 1 = ( ) − ( ) (4.8)

Sensitivity2: 2 = ( ) − ( ) (4.9)

Where is the present level of a given resource, is the smallest amount of the resource for which the safety requirement is fulfilled, is the largest amount for which the safety requirement is not fulfilled and is the average rapidity. The margin and sensitivity metrics are all defined in relation to a safety boundary. If the safety requirement is fulfilled despite complete reduction of a resource there is no safety

54

boundary with respect to the given resource. Margin, sensitivity1 and 2 are consequently undefined with respect to this resource.

The three resilience metrics are assessed for an electricity distribution network, which is studied in appended papers I and II. When delivery of external resources is supposed to occur after 12 hours the safety requirement will be fulfilled for all analysed resource conditions meaning that the margin, sensitivity1 and 2 metrics are undefined. Therefore, these metrics are demonstrated only for the case that external resources are delivered 24 hours after the disturbance, see Figure 4.3. Results concerning margin provides information of how close the system is to the unsafe territory. At present, we see that the DSO is doing well. It could reduce its resources by 60% or more and still would fulfil the safety requirement even in case of N-9 strains. At the N-12 level of strain margins are somewhat smaller. Here reductions of backup power units by more than 30 % or trucks by more than 50 % would mean that the safety requirement is no longer fulfilled. Results concerning sensitivity1 shows how the system performance is impacted if the safety boundary is crossed. We see that at strain level N-1 up to N-9 crossing the boundary with respect to trucks will have by far the greatest impact on system performance. It is only at the N-12 level of strain that sensitivity with respect to reduction in trucks is overtaken by that with respect to reduction in repair teams and excavators. Results concerning sensitivity2 can show the DSO how the system performance is impacted when the system moves to the vicinity of the unsafe territory. Sensitivity is greatest with respect to trucks, for all strain levels except N-6. For strain levels N-6 up to N-12 sensitivity is also relatively large with respect to backup power units. We can also see that sensitivity1 values are generally larger than sensitivity2 values, showing that system performance is not affected to the same extent by movement within the safe territory as by movement across the safety boundary.

Figure 4.3. Margin (left), sensitivity 1 (middle) and sensitivity 2 (right) as a function of level of strain with respect to repair teams (o), excavators (triangle), trucks (*), cable (x) and 400 kVA backup power units (star). Results are for the electricity distribution network assuming 24-hour resource delivery time.

The result shown in Figure 4.3 demonstrates that the suggested metrics can be used for gaining an overview of how the infrastructure system will react to changes in system parameters. A system operator or planner using the results can, based on the margin metric, identify system parameters which will only have to undergo relatively minor

55

changes to reduce safety performance below what is acceptable. In this case trucks and backup power units are the two parameters that stand out. The operator can also, based on the sensitivity1 and 2 metrics, identify system parameters that will affect the system performance to a large extent. Also, here trucks and backup power units stand out and under some conditions repair teams and excavators. We also find that the margins are relatively high for the studied system given most levels of strain. Also for a system of this type the presented metrics can be of use for assuring that margins are not diminished, something which could otherwise happen through creeping, imperceptible changes, perhaps driven by a desire to cut down on expenses.

56

57

Chapter 5 Comparison of quality of supply regulations and societal outage consequences

In the previous chapter work was described that relates to the development of resilience metrics that can enable quantitative assessment of impact on performance of technical infrastructure networks from system parameter changes. In this chapter work is presented that relates to appended paper IV and the third research question of the thesis which concerns to what extent present quality of supply regulations reflect the importance of electricity customers from a societal perspective.

As has been pointed out by Linares & Rey (2013), apart from economic costs electricity outages also bring about societal costs which concern e.g. risk to health and safety or loss of leisure time. Here the term societal consequence is used instead of societal costs to emphasize that no attempt is made to assess this type of outage consequences in terms of monetary value. While cost of loss of leisure time has been assessed in previous research, most aspects of societal consequences of electricity outages still have not been subject to much research. Linares & Rey identifies lack of relevant data as a major stumbling block that hinders further progress in assessment of these consequences. In this thesis, electricity regulations are pointed to as one potentially fruitful source of data that can give insight into societal outage consequences. Regulations obviously reflect consequences for the network operators in the sense that they specify penalties that are paid by network operators in case of outages. But they are also likely to reflect some aspects of consequences for society in general, since regulatory agencies are implicitly (e.g. in the case of OCR) or explicitly (e.g. in the case of the RFR) aiming to design regulations so that penalties will reflect societal consequences. In addition to the two Swedish quality of supply regulations, OCR and RFR, the Swedish Styrel system (described in section 2.2) is also believed to bring valuable insight concerning societal consequences brought about by electricity outages. The different regulations are however, each designed to consider one particular aspect of electricity outages:

• The RFR is focused at normal, short duration outages

• The OCR is focused at long duration outages affecting non-critical customers, oftentimes located in rural areas

58

• Styrel considers extreme events, power shortage, and is focused at customers that are critical to society

It is believed to be of interest to compare these regulations, to see to what extent they do reflect each other. If quality of supply regulations are indeed not capturing all aspects of societal consequences of electricity outages this can be a cause of concern. The quality of supply regulations shape the economic incentives that decide how investments are made in electricity networks as well as in restoration resources. If some societal outage consequences are not reflected in the regulations, too little consideration may be paid to outages that can have wide ranging societal consequences.

In appended paper IV a study is carried out on the customers of an electricity distribution system to see to what extent that quality of supply regulations and the Styrel priorities agree. In Johansson et al. (2007) customer equivalents (CE) is proposed as a means of capturing the societal consequences of outages. Electricity customers that are more important from a societal perspective, e.g. the headquarters of a municipality, can be thought of as being equivalent to many non-critical electricity customers from a societal consequence perspective. This weight relation is expressed in the CE value. The regulations are, implicitly, deciding CE values for all electricity customers. The following formulas are suggested for quantification of these implicit CE values: , = , ,⁄ (5.1)

, = , ,⁄ (5.2)

, here stands for the CE of the :th customer as determined based on RFR, , denotes the penalty related to the :th customer based on RFR and , denotes the median penalty of customers with priority 8 based on RFR. , stands for the CE of the :th customer as determined based on OCR, , denotes the penalty related to the :th customer based on OCR and , denotes the median penalty of customers with priority 8 based on OCR. It is interesting to see if these implicit CE values agree with the priority scale suggested by Styrel. If this is the case we will find that CE values of customers are generally decreasing with level of priority. If there are major deviations from this trend we will on the other hand conclude that the quality of supply regulations are not reflecting the societal priorities embodied in Styrel.

In the research work CE values were also determined through a minor expert elicitation survey which made it possible to contrast existing regulations against expert elicited weights. In Figure 5.1 we see comparisons between weights implicit in existing regulations and those obtained through expert elicitation for two different outage durations. The RFR based weights are not included in the results for the 48-hour outage duration since the RFR does not apply for outages longer than 12 hours in duration. The graphs show that weights of both quality of supply regulations tend to

59

increase with level of priority. However, priority class 5 is clearly deviating from this trend. The median weight of this customer class is significantly higher than that of higher priority classes. Furthermore, we see that expert elicited weights for priority classes 1-4 are higher than weights implicit in quality of supply regulations, that expert elicited weight of priority class 5 agrees with the OCR based weight of this customer class but not with the RFR based weight and that the expert elicited weight of priority class 7 agrees relatively well with the weight of this customer class that is obtained based on quality of supply regulations.

Figure 5.1. Weights of priority classes 1-7 relative to priority class 8 based on RFR (red) and OCR (blue). Median expert estimate of CE for minimum (x), most probable (o) and maximum (x). Results are shown for 12-hour outage duration (left) and 48-hour outage duration (right). No customer data is available for priority class 6. Outliers (indicated as red points) are data points outside the interval: [Q1-1.5*(Q3-Q1), Q3+1.5*(Q3-Q1)], where Q1, Q2 and Q3 are the first, second and third quartiles.

This result indicates that existing quality of supply regulations are not reflecting societal electricity outage consequences as seen in the Styrel priority scale and the expert elicited weights. This lack in agreement may imply that the economic incentive of the DSO, determined largely by the quality of supply regulations, is not reflecting priorities relating to customer that are critical to society. In particular we see that outages affecting customers in priority class 5 are associated with significantly greater penalties than are outages affecting customers in higher priority classes which may cause DSOs to give more weight to these customers than can be motivated from a societal perspective.

60

61

Chapter 6 Discussion

The research work concerns three main areas each related to one of the research questions of this thesis: modelling technical infrastructure networks to enable exploration of resilience of socio-technical system with respect to large disturbance events (appended papers I, II and III), development of resilience metrics that enable quantitative assessment of impact on performance of technical infrastructure networks from system parameter changes given large disturbance events (appended paper I) and comparing quality of supply regulations and societal outage consequences (appended paper IV). In this chapter, the research questions are discussed based on the results presented in chapters 3-5.

6.1 Modelling technical infrastructure networks to enable assessment of socio-technical system resilience

The first research question of the thesis concerns how technical infrastructure networks can be modelled to enable exploration of the resilience of the overall socio-technical system with respect to large disturbance events. A simulation approach was found to be advantageous since it allows the technical network as well as the repair system and its various resources to be explicitly considered. A simulation model was developed which considers the following aspects argued to be crucial in the context of large disturbance events: 1) many simultaneous component failures, 2) prioritization rules used by the DSO to decide order of repair and 3) available restoration resources over time including the possibility to receive external resources, for instance from DSO cooperation groups. The developed hybrid model consists of two sub-models: a network model, which represents the technical network and failures occurring in the network, and a queuing model which represents the repair system. The queuing model enables repair prioritizations to be considered as the order in which jobs are lined up in the queuing model. The repair model also enables repair system resources to be represented as servers or resources in stock, and arrival of external resource over time can then easily be simulated.

The benefits of using a socio-technical approach in modelling infrastructure restoration processes has been demonstrated in previous research. In particular it enables analysis of how technical and non-technical system parameters affect system performance. However, it was found that several aspects had not been treated sufficiently:

62

consideration of multiple restoration resources as well as their non-continuous arrivals over time, the analysis of large numbers of strain scenarios and consideration of large numbers of hypothetical system parameter values. The presented work covers these research gaps and therefore is believed to contribute to the research field. Based on the obtained results it can be found how resilience of the overall socio-technical system is impacted by changes in parameters of the repair system. It was, for instance, found that work hour agreements for repairers had a very large impact on resilience of the investigated SCADA system while time of arrival of external repair system resources had an insignificant effect on the resilience of the electricity network.

The analysis, in distinction to previous research, considers vast numbers of strain scenarios as well as many different levels of strain. In appended paper I results are also obtained in which many possible parameter combinations are explored and the system resilience is obtained for each such combination. It was found that if external resources arrive quickly, i.e. after 12 hours, the network operator can choose to reduce any given internal resource to zero with only a modest increase in average rapidity as a result and still fulfilling the safety requirement. This hints at a possible strategy for how to design the repair system, namely to outsource restoration resources to a common pool which is accessed by multiple network operators. This strategy is likely to be advantageous from an economic perspective since many network operators can share the cost of restoration resources but it demands that resources can be trusted to arrive quickly. In general, it is found that the obtained results can provide information about how adaptations of the infrastructure system will affect system resilience. Such results are believed to be of value for DSOs for deciding between system improvement options.

6.2 Resilience metrics for quantitative assessment of impact on system performance from parameter variation

The second research question of the thesis concerns the development of resilience metrics that enable quantitative assessment of impact on performance of technical infrastructure networks from system parameter changes given large disturbance events. There exists a diverse flora of quantitative resilience metrics for analysis of engineering systems. However, despite this diversity there is still an apparent lack of quantitative metrics that do consider the impact of system parameter variation on system performance. To address this research gap three resilience metrics, margin, sensitivity1 and 2, were operationalized for quantitative research and used in analysis. It was found that margin can give an overview to how closely the system is positioned to a safety boundary with respect to different system resources and that the sensitivity metrics can give an understanding of how the systems performance will degrade as the system moves to, and across the safety boundary with respect to these different resources. In the event of large disturbance events resources are likely to be insufficient, thereby delaying

63

recovery. The ability of the developed metrics to give an overview to how variation in system parameters, such as repair system resources, impacts on system performance is therefore believed to make them useful for developing resilience of technical infrastructure networks with respect to large disturbance events.

6.3 Comparison of quality of supply regulations and the societal outage consequences

The third research question of this thesis concerns to what extent present quality of supply regulations reflect the importance of electricity customers from a societal perspective. A case study was performed on an electricity distribution network to answer this question. As has been pointed out by Linares & Rey (2013) a major obstacle to assessing societal outage consequences is lack of relevant data. In performing the case studies data was gathered from several sources: two Swedish quality of supply regulations, the Styrel priorities and an expert elicitation survey. It was found that the two quality of supply regulations tend to give weights that increase with priority level, which agrees with the intention of the Styrel system. A striking exception to this rule is the priority 5 customer category which is weighted significantly higher by both quality of supply regulations than customers in the other priority classes. It was also found that the priority classes 1-4, which are critical either for life and health or for the functionality of society, are given higher weights by experts than they get based on the quality of supply regulations. On the other hand, expert and quality of supply regulation weightings agree partially concerning priority class 5 and they agree relatively well concerning priority class 7. Quality of supply regulations have been set up to create an economic incentive for network operators to achieve a sufficiently high quality of service. In this perspective, the finding that quality of supply regulations do in some cases not reflect some aspects of societal consequences of electricity outages is problematic. It indicates that the economic incentive created by the regulations may not, to a sufficient extent, drive network operators to avoid outages with wide ranging societal consequences. It could be desirable to adapt existing quality of supply regulations so that prioritized customers, especially those that are critical for life and health or for the functionality of society, are considered separately, for instance by using separate weights for these customers.

64

65

Chapter 7 Conclusions and future research

In this last chapter of the thesis answers to the three overall research questions are given and topics for future research are mentioned.

Research question A: How can technical infrastructure networks be individually modelled to enable exploration of the resilience of the overall socio-technical system with respect to large disturbance events?

A hybrid model was developed for analysing resilience of the socio-technical system and was applied in case studies on an electricity distribution network as well as on two IT networks (appended papers I-III). The model was found to be useful for analysing the resilience of the overall socio-technical system since it explicitly represents technical as well as non-technical sub-systems of the socio-technical system. One sub-model represents the technical infrastructure network and one sub-model represent the repair system. In this way the resilience of the technical infrastructure network can be explored through explicit simulations. Since the technical network is explicitly represented it is possible to simulate large numbers of simultaneous component failures which is relevant in the context of large disturbance events. Since technical as well as non-technical system parameters are explicitly represented it is also possible to investigate the impact of modification of technical and non-technical system parameters on resilience. In the research work modifications were made of several system parameters and it was for instance found that variation of arrival time of external resources for the studied electricity network had little impact on system resilience while work hour agreements (office hours or 24/7 work agreement) of repairers of the studied SCADA network had a dramatic impact on system resilience. In conclusion the developed simulation model can give an understanding concerning resilience of technical infrastructure networks in the event of large disturbance events as well as concerning how system improvement options will influence system resilience.

Research question B: What resilience metrics are suitable for quantitative assessment of impact on performance of technical infrastructure network from system parameter changes given large disturbance events?

Three resilience metrics, margin, sensitivity1 and 2, were developed for assessing impact on system performance from system parameter changes. They were applied in a case study (appended paper I) on an electricity distribution network in which small as well

66

as large numbers of simultaneous component failures were considered, both of which are relevant in the context of large disturbance events. The developed metrics are all related to the concept of safety which was here defined as the ability of the system to be fully restored within 24 hours in 95% of the simulated scenarios. This safety requirement is believed to be relevant since the Swedish function requirement for electricity networks demands that electricity supply should be restored within 24 hours. The safety boundary is furthermore understood as the lowest level of a given resource for which the system is still safe. It was found that margin can give an overview to how closely the system is positioned to the safety boundary with respect to different system resources and that the sensitivity metrics can give an understanding of how the systems performance will degrade as the system moves to, and across the safety boundary with respect to these different resources. It is concluded that these metrics can complement existing quantitative resilience metrics by showing how the studied system reacts to changes in system parameters.

Research question C: To what extent do present quality of supply regulations reflect the importance of different electricity customer categories from a societal perspective?

A case study was performed (appended paper IV) in which weights of customers in an electricity distribution network were quantified and contrasted based on two Swedish quality of supply regulations as well as on the Styrel system. The Styrel system is believed to give an insight into societal consequences relating to outage of customers that are critical to society. Expert elicitation was also used to complement and nuance the picture of the weighting obtained by the above main approach. It was found that the two quality of supply regulations tend to give weights that increase with priority level, which agrees with the intention of the Styrel system. A striking exception to this rule is the priority 5 customer category (customers that represent large economic values) which is weighted significantly higher by both quality of supply regulations than customers in the other priority classes. It was also found that the priority classes 1-4, which are critical either for life and health or for the functionality of society, are given higher weights by experts than they get based on the quality of supply regulations. On the other hand, expert and quality of supply regulation weightings agree partially concerning priority class 5 and they agree relatively well concerning priority class 7. It is concluded that customers that are critical for society may need to be considered separately in future quality of supply regulations, to make penalties relating to outage of these customers be more in proportion to their importance for society. It is also concluded that the minor expert elicitation survey carried out for obtaining weights of Styrel priority classes suggests one way in which weights of high priority customers can be obtained and incorporated in quality of supply regulations.

67

Future research There are several areas where more research is needed. Such areas are suggested below:

• Repair systems of technical infrastructure networks themselves depend, to varying extent, on technical infrastructure networks, notably transport and telecommunication networks. In future research, it will be of interest to study how these dependencies affect the repair system and restoration times.

• It can be of interest to consider cost of restoration resources. This will enable optimization of the repair system given a limited budget.

• In the present work analyses have been performed in three different domains: repair system, technical network and society. In future work, it can be of interest to perform analyses that span all three domains. It will then be possible to go all the way from a failure scenario, simulated in the technical network, through customer outage hours given by the repair system model and obtain the consequences of the outage in terms of penalty payed by the DSO or overall outage time of customers of various Styrel priority classes.

• The repair system model has so far been applied for electricity and IT networks. It will be of interest to explore the applicability of the model also with respect to other technical infrastructure networks such as transport or water distribution networks.

• The quantitative margin and sensitivity metrics, which have been developed here, have only been applied for parameters relating to the repair system. In future research it will be of interest to apply these metrics to other system parameters, for instance relating to the topology of the technical network.

68

69

References

Barker, K., Ramirez-Marquez, J. E., & Rocco, C. M. (2013). Resilience-based network component importance measures. Reliability Engineering & System Safety, Vol. 117, pp. 89-97.

Billinton, R., & Allan, R. N. (1992). Reliability evaluation of engineering systems, Plenum press, New York, U.S.

Bisogni, F., & Cavallini, S. (2010). Assessing the economic loss and social impact of information system breakdowns. Fourth Annual International Conference on Critical Infrastructure Protection, (ICCIP2010), Washington, US, Vol. 4, pp. 185-198.

Boin, A., Comfort, L. K. & Demchak, C. C., The rise of Resilience in Comfort, L. K., Boin, A. & Demchak, C. C., (Ed.) (2010). Designing Resilience, University of Pittsburgh Press, Pittsburgh, U.S., pp. 1-12.

Bonabeau, E. (2002). Agent-based modeling: Methods and techniques for simulating human systems. Proceedings of the National Academy of Sciences of the United States of America, Vol. 99, No. 3, pp. 7280-7287.

Bruneau, M., Chang, S. E., Eguchi, R. T., Lee, G. C., O’Rourke, T. D., Reinhorn, A. M., Shinozuka, S., Tierney, K., Wallace, W. A. & von Winterfeldt, D. (2003). A framework to quantitatively assess and enhance the seismic resilience of communities. Earthquake spectra, Vol. 19, No. 4, pp. 733-752.

Carlsson, F. and P. Martinsson. (2006). Kostnader av elavbrott–En studie av svenska elkunder, Elforsk rapport 06:15, In Swedish.

Chang, S. E., & Shinozuka, M. (2004). Measuring improvements in the disaster resilience of communities. Earthquake Spectra, Vol. 20, No. 3, pp. 739-755.

De Bruijne, M., & Van Eeten, M. (2007). Systems that should have failed: critical infrastructure protection in an institutionally fragmented environment, Journal of Contingencies and Crisis Management, Vol. 15, No. 1, pp. 18-29.

De Carvalho, P. V. R. (2011). The use of Functional Resonance Analysis Method (FRAM) in a mid-air collision to understand some characteristics of the air traffic management system resilience. Reliability Engineering & System Safety, Vol. 96, No. 11, pp. 1482-1498.

Edwards, P. N. (2003). Infrastructure and modernity: Force, time, and social organization in the history of socio-technical systems, In Modernity and technology, Massachusetts Institute of Technology, Boston, U.S., pp. 185-225.

70

Ei (2015). Kvalitetsreglering av intäktsram för elnätsföretag – Reviderad metod inför tillsynsperioden 2016-2019, (Ei R2015:06), In Swedish. Webb address: https://www.ei.se/sv/Publikationer/Rapporter-och-PM/rapporter-2015/kvalitetsreglering-av-intaktsram-for-elnatsforetag-reviderad-metod-infor-tillsynsperiod-2016-2019-ei-r2015-06/ (2017-10-20).

Energimyndigheten (2015). Styrel - Handbok för Styrels planeringsomgång 2014-2015, (ET2013:28), In Swedish. Webb address:https://www.energimyndigheten.se/globalassets/trygg-energiforsorjning/styrel/handbok-for-styrels-planeringsomgang-2014-2015.pdf (2017-10-20).

Epstein, J. M., (2006). Generative social science: studies in agent-based computational modeling, Princeton University Press, Princeton, U.S.

Finger, M., Groenwegen, J., & Kunneke, R. (2005). Quest for Coherence between Institutions and Technologies in Infrastructures, The. J. Network Ind., Vol. 6, pp. 227-260.

Grimvall, G., Jacobsson, P., & Thedéen, T. (2003). Risker i tekniska system. Studentlitteratur, Lund, Sweden, In Swedish.

Hansman, R. J., Magee, C., De Neufville, R., & Robins, R. (2006). Research agenda for an integrated approach to infrastructure planning, design and management, International journal of critical infrastructures, Vol. 2, No. 2, pp. 146-159.

Hassel, H. (2010). Risk and vulnerability analysis in society’s proactive emergency management: Developing methods and improving practices, PhD thesis, Lund University.

Hosseini, S., Barker, K. & Ramirez-Marquez, J. E. (2016). A review of definitions and measures of system resilience, Reliability Engineering & System Safety, Vol. 145, pp. 47-61.

Hwang, S., Park, M., Lee, H. S., & Lee, S. (2016). Hybrid Simulation Framework for Immediate Facility Restoration Planning after a Catastrophic Disaster. Journal of Construction Engineering and Management, Vol. 142, No. 8, pp. 1-15.

Johansson, J., Hassel, H., Cedergren, A., Svegrup, L., & Arvidsson, B. (2015). Method for describing and analysing cascading effects in past events: Initial conclusions and findings. In European Safety and Reliability Association Conference (ESREL2015), Zürich, Switzerland.

Johansson, J., Hassel, H., & Zio, E. (2013). Reliability and vulnerability analyses of critical infrastructures: comparing two approaches in the context of power systems. Reliability Engineering & System Safety, Vol. 120, pp. 27-38.

Johansson, J., Jonsson, H., and Johansson, H. (2007). Analysing the vulnerability of electric distribution systems: a step towards incorporating the societal consequences of disruptions. International Journal of Emergency Management, Vol. 4, No. 1, pp. 4-17.

71

Kaplan, S., & Garrick, B. J. (1981). On the quantitative definition of risk, Risk analysis, Vol. 1, No. 1, pp. 11-27.

Kasperson, R. E., Renn, O., Slovic, P., Brown, H. S., Emel, J., Goble, R. & Ratick, S. (1988). The social amplification of risk: A conceptual framework, Risk analysis, Vol. 8, No. 2, pp. 177-187.

Kroes, P., Franssen, M., Poel, I. V. D., & Ottens, M. (2006). Treating socio‐technical systems as engineering systems: some conceptual problems, Systems research and behavioural science, Vol. 23, No. 6, pp. 803-814.

Lakervi, E., & Holmes, E. J. (1995). Electricity distribution network design, Institution of Electrical Engineers, London, UK.

Landegren, F. (2014). Critical Infrastructures as Socio-technical Systems: Applications to electricity distribution systems, Licentiate Thesis, Division of Industrial Electrical Engineering and Automation, Lund University, E-husets tryckeri, Lund, Sweden.

Landegren, F. (2015). Tekniska infrastruktursystem – återställning och konsekvenser , i Slutrapport från Ramforskningsprogrammet PRIVAD – Program for Risk and Vulnerability Analysis Development, LUCRAM, Lunds universtitet, pp. 14-23, In Swedish.

Landegren, F., Johansson, J., & Samuelsson, O. (2013). Review of computer based methods for modelling and simulating critical infrastructures as socio-technical systems. In European Safety and Reliability Association Conference (ESREL2013), Amsterdam, Netherlands.

Landegren, F., Johansson, J., & Samuelsson, O. (2014). Comparing societal consequence measures of outages in electrical distribution systems. In European Safety and Reliability Association Conference (ESREL2014), Wroclaw, Poland.

Landegren, F., Johansson, J., & Samuelsson, O. (2016). A Method for assessing margin and sensitivity of electricity networks with respect to repair system resources. IEEE Transactions on Smart Grid, Vol. 7, No. 6, pp. 2880-2889.

Landegren, F., Samuelsson, O., & Johansson, J. (2016). A hybrid model for assessing resilience of electricity networks. In 16th International Conference on Environment and Electrical Engineering (EEEIC), IEEE, Florence, Italy.

Landegren, F., Sulaman, S. M., Möller, P., Höst, M., & Johansson, J. (2016). A method for assessing resilience of socio-technical IT-systems. In European Safety and Reliability Association Conference (ESREL2016), Glasgow, U.K.

Lee, B., Preston, F., & Green, G. (2012). Preparing for high-impact, low-probability events: lessons from Eyjafjallajökull. Chatham House. Webb address: https://www.chathamhouse.org/sites/files/chathamhouse/public/Research/Energy,%20Environment%20and%20Development/r0112_highimpact.pdf (2017-10-20).

Linares, P., & Rey, L. (2013). The costs of electricity interruptions in Spain. Are we sending the right signals? Energy Policy, Vol. 61, pp. 751-760.

72

Li, P., Wang, B. H., Sun, H., Gao, P., & Zhou, T. (2008). A limited resource model of fault-tolerant capability against cascading failure of complex network. The European Physical Journal B-Condensed Matter and Complex Systems, Vol. 62, No. 1, pp. 101-104.

Little, R. G. (2004). Holistic strategy for urban security, Journal of Infrastructure Systems, Vol. 10, No. 2, pp. 52-59.

Liu, H., Davidson, R. A., and Apanasovich, T. V. (2007). Statistical forecasting of electric power restoration times in hurricanes and ice storms, IEEE Trans. Power Syst., Vol. 22, No. 4, pp. 2270–2279.

McDaniels, T., Chang, S., Cole, D., Mikawoz, J., & Longstaff, H. (2008). Fostering resilience to extreme events within infrastructure systems: Characterizing decision contexts for mitigation and adaptation, Global Environmental Change, Vol. 18, No. 2, pp. 310-318.

Mendonça, D., & Wallace, W. A. (2015). Factors underlying organizational resilience: The case of electric power restoration in New York City after 11 September 2001, Reliability Engineering & System Safety, Vol. 141, pp. 83-91, Sept.

Minkel, J. R. (2008). The 2003 Northeast Blackout--Five Years Later. Scientific American. Webb address: https://www.scientificamerican.com/article/2003-blackout-five-years-later/ (2017-10-20).

Moteff, J., & Parfomak, P. (2004). Critical infrastructure and key assets: definition and identification, Library of congress Washington DC congressional research service.

Newitz, A. (2013). Scatter Adapt and Remember: How Humans Will Survive A Mass Extinction. Penguin, Canada.

Omer, M., Mostashari, A., & Lindemann, U. (2014). Resilience analysis of soft infrastructure systems. Procedia Computer Science, Vol. 28, pp. 565-574.

Ouyang, M., Dueñas-Osorio, L., & Min, X. (2012). A three-stage resilience analysis framework for urban infrastructure systems. Structural safety, Vol. 36, pp. 23-31.

Ouyang, M., & Wang, Z. (2015). Resilience assessment of interdependent infrastructure systems: With a focus on joint restoration modelling and analysis. Reliability Engineering & System Safety, Vol. 141, pp. 74-82.

Ottens, M., Franssen, M., Kroes, P., & Van De Poel, I. (2006). Modelling infrastructures as socio-technical systems, International Journal of Critical Infrastructures, Vol. 2, No. 2, pp. 133-145.

Park, M., Lee, S. H., Lee, H. S., Choi, M., Hwang, S., Moon, M. G., Lee, S. & Pyeon, J. H. (2014). A Framework for Post-disaster Facility Restoration Management: Needs and Requirements for the Use of Hybrid Simulation. In Construction Research Congress 2014: Construction in a Global Network, pp. 1269-1278.

Petermann, T., Bradke, H., Lüllmann, A., Poetzsch, M., & Riehm, U. (2014). What Happens During a Blackout: Consequences of a Prolonged and Wide-ranging Power Outage. BoD–Books on Demand. Webb address: https://www.tab-beim-bundestag.de/en/pdf/publications/books/petermann-etal-2011-141.pdf (2017-10-20).

73

Ramachandran, V., Long, S. K., Shoberg, T., Corns, S., & Carlo, H. J. (2015). Framework for Modelling Urban Restoration Resilience Time in the Aftermath of an Extreme Event. Natural Hazards Review, Vol. 16, No. 4.

Risk management solutions (RMS) (2008). The 1998 ice storm: 10-year retrospective. Webb address: http://forms2.rms.com/rs/729-DJX-565/images/wtr_1998_ice_storm_10_retrospective.pdf (2017-10-20).

Shirali, G. A., Motamedzade, M., Mohammadfam, I., Ebrahimipour, V., & Moghimbeigi, A. (2016). Assessment of resilience engineering factors based on system properties in a process industry. Cognition, Technology & Work, Vol. 18, No. 1, pp. 19-31.

Smith, E. R., & Conrey, F. R. (2007). Agent-based modeling: a new approach for theory building in social psychology. Personality and social psychology review : an official journal of the Society for Personality and Social Psychology, Inc, Vol. 11, No. 1, pp. 87–104.

Stallings, W. (2014). Data and computer communications. Tenth edition, Pearson. Tabucchi, T., Davidson, R., & Brink, S. (2010). Simulation of post-earthquake water supply

system restoration, Civil Engineering and Environmental Systems, Vol. 27, No. 4, pp. 263-279.

Toll, M. (2007). Storm Gudrun—What can be learnt from the natural disaster of 2005?, Swedish Energy Agency, Eskilstuna, Sweden, Tech. Rep. ET 2007:36.

Trist, E. (1980). The evolution of socio-technical systems, Conference on organizational design and performance, Pennsylvania, U.S.

Van Der Welle, A., & Van Der Zwaan, B. (2007). An overview of selected studies on the value of lost load (VOLL). Energy Research Centre of the Netherlands (ECN).

Vugrin, E.D., D.E. Warren, and M.A. Ehlen, (2011). A resilience assessment framework for infrastructure and economic systems: Quantitative and qualitative resilience analysis of petrochemical supply chains to a hurricane, Process Safety Progress, 30, pp. 280–290.

Vugrin, E. D., Baca, M. J., Mitchell, M. D., & Stamber, K. L. (2014). Evaluating the effect of resource constraints on resilience of bulk power system with an electric power restoration model. International Journal of System of Systems Engineering, Vol. 5, No. 1, pp. 68-91.

Wang, J. W., Gao, F., & Ip, W. H. (2010). Measurement of resilience and its application to enterprise information systems. Enterprise Information Systems, Vol. 4, No. 2, pp. 215-223.

White House (2000). Defending America’s Cyberspace: National Plan for Information Systems Protection. Version 1.0. An Invitation to a Dialogue. Webb address: https://fas.org/irp/offdocs/pdd/CIP-plan.pdf (2017-10-20).

Wildavsky, A. B. (1988). Searching for safety, Transaction publishers, New Jersey, US.

74

Wilhelmsson, A., Johansson, J., (2009). Assessing Response System Capabilities of Socio-Technical Systems, The International Emergency Management Society (TIEMS2009), Istanbul, Turkey.

Winner, L. (2004). Trust and terror: the vulnerability of complex socio‐technical systems, Science as Culture, Vol. 13, No. 2, pp. 155-172.

Woods, D. D. (2006). Essential characteristics of resilience, In Resilience engineering: concepts and precepts, Burlington, Ashgate Publishing Company, pp. 21-34.

Yusta, J. M., Correa, G. J., & Lacal-Arántegui, R. (2011). Methodologies and applications for critical infrastructure protection: State-of-the-art, Energy policy, Vol. 39, No. 10, pp. 6100-6119.

Zobel, C. W. (2011). Representing perceived tradeoffs in defining disaster resilience. Decision Support Systems, Vol. 50, No. 2, pp. 394–403.

75

Summary of appended papers

Paper I – Resilience assessment of electricity networks, margin and sensitivity Landegren, F., Johansson, J., & Samuelsson, O. (2016). A method for assessing margin and sensitivity of electricity networks with respect to repair system resources. IEEE Transactions on Smart Grid, Vol. 7, No. 6, pp. 2880-2889.

Three resilience metrics, margin, sensitivity1 and 2, described in Chapter 4, are for the first time demonstrated to be useful for quantitative resilience assessment. These metrics are related to the concept of a safety requirement, here understood as ability of the system to recover full functionality within 24 hours in at least 95% of the sampled scenarios. Margin is understood as the degree to which a resource can be decreased without making the system unable to fulfil the safety requirement. Sensitivity on the other hand refers to the increase in average restoration time that will occur as the system resource is reduced from its present level to the level at which the safety requirement is no longer fulfilled. The resilience metrics are quantified using a hybrid model for simulation of restoration processes in electricity distribution networks, described in Chapter 3. A case study is performed on the electricity distribution network of a Swedish city considering several levels of network strain. It is concluded that the proposed resilience metrics provide perspectives on system resilience which are not offered by previously developed quantitative resilience metrics. In particular, they illustrate the impact that variation in system resources have on system performance.

Paper II – Resilience assessment of electricity networks, robustness, rapidity and resilience loss Landegren, F., Johansson, J., Samuelsson, O., & (2016). A hybrid model for assessing resilience of electricity networks. In 16th International Conference on Environment and Electrical Engineering (EEEIC), IEEE, Florence, Italy.

The paper presents a hybrid model, described in Chapter 3, for simulation of restoration processes in electricity distribution networks. The hybrid model explicitly considers the technical network as well as the repair system, consisting of repair teams and materiel. The model is applied for an electricity distribution network supplying a city in Sweden. In the case study, the model is demonstrated to be applicable for quantification of three crucial resilience metrics, robustness, rapidity and resilience loss, described in Chapter 4. The analysis carried out in the paper gives an overview of system

76

performance with respect to these three metrics for several levels of system strain. Since technical as well as organizational sub-systems are explicitly considered in the model, the model is argued to be useful for assessment of technical as well as organizational decision variables with respect to their influence on overall system resilience.

Paper III – Resilience assessment of IT networks Landegren, F., Höst, M. & Möller, P. A simulation based method for assessing resilience of socio-technical IT networks. Submitted to an international journal.

The paper demonstrates the applicability of a hybrid modelling approach, described in Chapter 3, for simulation of restoration processes in large scale IT networks that are critical for society. Case studies are performed on a municipal IT network and on the SCADA system of a wastewater network. Using the approach three crucial resilience metrics, robustness, rapidity and resilience loss, can be quantified. Interviews are performed with system experts to get feed-back on perceived usefulness of the approach. The result shows that the approach is experienced as being able to improve system resilience. In particular, the possibility to evaluate the impact of decision variables on the system performance is considered to be useful.

Paper IV – Assessment of weights of electricity customers Landegren, F., Johansson, J. & Samuelsson, O., Comparing quality of supply regulation costs and societal electricity outage priorities: Case study in Sweden. Submitted to an international journal.

In the paper, it is assessed to what extent that two Swedish quality of supply regulations, the RFR and the OCR, reflect societal priorities concerning electricity outages as formalized in the Styrel system. This comparison is carried out in a case study involving the electricity customers in a city in Sweden. Also, an expert elicitation survey is used to complement the picture from the above main approach. Results from the study, presented in Chapter 5, indicate that electricity customers that are critical for maintaining life and health or societal functions are not given due consideration in the present regulations. While this result is not in itself surprising, a means of quantitatively assessing these disagreements is here demonstrated which may lay the foundation for future improvements of quality of supply regulations.

77

Author contributions

Table 3. Level of contribution in six different aspects of research work for the four appended papers. Major=work carried out mainly by author, Medium=work carried out mainly through cooperation between author and co-authors, Minor=little involvement from author, - =work aspect not applicable.

Research idea

Formalizing metrics

Model conceptuali-zation and development

Obtaining data

Performing analysis

Writing paper

Paper I Medium Medium Major Major Major Major

Paper II Medium - Major Major Major Major

Paper III Medium - Major Medium Major Major

Paper IV Minor Medium - Major Major Medium

78

79

Scientific publications

Paper I

IEEE TRANSACTIONS ON SMART GRID 1

A Method for Assessing Margin and Sensitivityof Electricity Networks With Respect

to Repair System ResourcesFinn Erik Landegren, Jonas Johansson, and Olof Samuelsson, Member, IEEE

Abstract—Modern society is becoming increasingly dependenton a continuous supply of electricity. In order to maintain thesafety and security of society and its citizens, it is thereforenecessary that electricity networks are resilient toward disrup-tions whether caused by natural disasters, sinister attacks, orother. Margin and sensitivity are two crucial aspects of theresilience concept which have so far been subject to little research.Here a simulation-based method is presented that enables quanti-tative assessment of margin and sensitivity of electricity networkswith respect to repair system resources. A simulation modelis used that explicitly takes into account the electricity net-work as well as the repair teams and materiel necessary forrepairing network components. The method is demonstratedfor a municipal power distribution system in Sweden whichis subjected to disturbances with a severity up to 12 inde-pendent failures (N-12). An overall conclusion from the casestudy is that the suggested method provides an overview of themargin and sensitivity of the electricity distribution system, withrespect to repair system resources. This information can formthe basis for decisions concerning what amount of resources isappropriate.

Index Terms—Electricity network, resilience, margin,sensitivity, restoration process, simulation.

I. INTRODUCTION

MODERN society is becoming increasingly dependenton a continuous supply of electricity. Also, several

recent events clearly show that electricity networks are vul-nerable and can suffer severe failures. For example, inJanuary 2005, Hurricane Gudrun caused wide-ranging black-outs in the Nordic and Baltic regions, affecting 730,000 cus-tomers in Sweden alone [1]. The 2006 Norwegian Pearlincident caused large parts of Europe to be left without powerfor up to 90 minutes, affecting approximately 15 millionof the continent’s inhabitants [2]. The great societal coststhat follow in the wake of events such as these underlinethe necessity of ensuring increased resilience in electricitynetworks.

Manuscript received September 1, 2015; revised January 11, 2016 andApril 27, 2016; accepted June 7, 2016. This work was supported bythe Swedish Civil Contingencies Agency through the PRIVAD-Project.Paper no. TSG-01059-2015.

F. E. Landegren and O. Samuelsson are with the Industrial ElectricalEngineering and Automation, Lund University, Lund 221 00, Sweden (e-mail:[email protected]).

J. Johansson is with the Division of Risk Management and Societal Safety,Lund University, Lund, Sweden.

Digital Object Identifier 10.1109/TSG.2016.2582080

Today, the resilience concept has gained a firm footing infields as diverse as engineering, biology and psychiatry whereit is used to convey the ability of a material, biotope or personto withstand sudden shocks [3]. The resilience concept hasalso come to be used in the context of infrastructure research(see for instance [4] and [5]). Woods [6] identifies four systemproperties that have to be considered in order to monitor andmanage resilience.

1. Buffering Capacity: the size or kind of disruptions thesystem can absorb;

2. Flexibility versus stiffness: the systems’ ability torestructure itself in response to external changes orpressures;

3. Margin: how closely or how precariously the system iscurrently operating relative to one or another kind ofperformance boundary;

4. Tolerance: how a system behaves near a bound-ary – whether the system gracefully degrades asstress/pressure increases or collapses quickly when pres-sure exceeds adaptive capacity.

Properties 1 and 2 are similar to the two properties robust-ness and rapidity. Robustness and rapidity, together, define theso-called resilience curve, which describes the level of func-tionality of a disrupted system over time [7] (see Fig. 1 left).Robustness is indicated by initial drop in functionality, rapidityis indicated by time required to restore desired functionality.Robustness and rapidity have been extensively treated in theresearch literature concerning resilience of infrastructure sys-tems (e.g., [4], [5], [8], and [9]). Properties 3 and 4 concernhow the system’s ability to cope with disturbances (measuredthrough system rapidity) changes as system parameter valuesare changed (see Fig. 1 right). In other words they are relatedto movement of the system within a system parameter space.As interpreted here, safety is also crucial for understandingproperties 3 and 4. Safety is here defined as rapidity beingwithin a desired time span, tb. Margin can now be clarifiedas the distance, within the parameter space, from the system’spresent location, ri0, to the boundary resource amount, rib+,which is the smallest amount of a given resource ri for whichthe safety condition is fulfilled. Tolerance can be clarified asthe degree to which the rapidity of the system is affected whenresource ri is reduced from rib+ and the system, consequently,crosses over from the safe part of the parameter space to thenon-safe part. Properties 3 and 4 have been addressed withqualitative approaches (see for instance [10]), but, so far, there

1949-3053 c© 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

mailto:[email protected]

http://www.ieee.org/publications_standards/publications/rights/index.html

2 IEEE TRANSACTIONS ON SMART GRID

Fig. 1. Left: Resilience curve showing functionality of a system throughtime. The time limit tb specifies when restoration should have occurred.Right: curve showing mean rapidity of system through variation in resource ri.Margin is indicated by distance between present position of system (black dot)and minimal safe resource amount, rib+. Tolerance is indicated by changein rapidity as system crosses boundary between safe and non-safe resourcedomain.

is not much research on how these properties can be addressedwith quantitative approaches.

This paper presents a method for quantitative assessment ofmargin and sensitivity of electricity networks with respect torepair system resources. Sensitivity is here understood as theopposite of what Woods refers to as tolerance, i.e., a sen-sitive system is affected to a high extent as it crosses theboundary. The choice to use sensitivity rather than tolerance isa mere technicality, motivated by the fact that results have theunit h rather h−1, and are therefore more easily understood.The main contribution of the paper is the method for assess-ing margin and sensitivity quantitatively and not the modelsused for this purpose. A contribution is also the suggestion offormulas for quantification of margin and sensitivity (see equa-tions (13), (14) and (15)) as well as the case-study used to testthe method. The here presented work is related to the field ofreliability analysis of technical infrastructure. However, in con-trast to practices in this field high levels of strain (up to twelvesimultaneous contingencies) are assessed here, also explicitmodels of a technical network and a repair system are com-bined. Generally in the reliability research field only the firstis considered.

In order to assess margin and sensitivity of a given elec-tricity network with respect to repair system resources, theelectricity network’s ability to be restored given various levelsof network strain must be known, as well as how restorabilityvaries with amount of available repair system resources. Fiveapproaches can be distinguished for analysing infrastructurerestoration time (see [11]) they are: 1) empirical curve fit-ting, 2) deterministic resource constraints, 3) Markov processapproach, 4) statistical regression, and 5) simulation. Theseare presented in more detail below.

Empirical curve fitting (ECF), applied for instance in [12],makes use of data obtained from previous events and/or expertopinion to fit restoration curves describing the fraction of facil-ities that are expected to be operational as a function of time.The approach is not suitable for the present purposes sinceit cannot easily be used for assessing restoration times forvarying levels of available repair system resources.

Deterministic resource constraints (DRC) models, appliedin [13], represent the restoration process by means of a set ofsimple equations. This approach can be useful, to some extent,for assessing how restoration time is impacted by variation in

resources. However, the approach is too simplistic too accountfor such dependencies in a detailed way.

The markov process (MP) approach, appliedin [14] and [15], represents the restoration as a Markovprocess where the transition probabilities can be determinedby the amount of rescue resources, geographical condition aswell as structural character of the lifeline system. The samearguments apply for MP as for DRC; impact from variation inresources can be studied but the approach is not appropriatefor studying this relationship in great detail.

With statistical regression (SR), [11], a large number ofvariables are taken into account for the statistical fittingof a restoration model to real life data, such as maximumwind speed, ice thickness and the total number of outages.While this approach indicates how a large number of vari-ables impact on restoration time it is not applicable for givinga detailed understanding of what the consequences of variationin resources will be.

The last among the approaches that have been used foranalysing restoration times is the simulation approach. Twomain kinds of simulation have been used to determine restora-tion times, Monte Carlo simulation applied in [16] and [17]and discrete event simulation, applied in [18]. The main advan-tage of this approach is that it allows resources to be explicitlyconsidered in the model; thereby enabling a more detailedunderstanding of how variation in resources affects restorationtime. A drawback of the simulation approach is that it can betime-consuming to develop and run the simulation models.

It is concluded that ECF and SR are not applicable forassessing margin and sensitivity with respect to repair systemresources. DRC and MP can be preferable if the result doesnot need to have much detail. Simulation finally is preferableif a detailed result is required, and there is sufficient timeavailable for developing and running the simulation models.In this paper simulation is used for assessment of margin andsensitivity with respect to repair system resources. A gap inthe previously performed research in this area is that impactof change in repair system resources on restoration time hasnot been assessed systematically from the resilience perspec-tive of margin and sensitivity. It is this gap that the presentpaper is intended to fill.

Monte Carlo simulation is here performed using a modelthat explicitly represents the technical infrastructure networkas well as the repair system; encompassing repair teamsand repair materiel (Section II). The method is applied ina case study on a municipal electricity distribution system(Section III). The main results from the case study concerningmargin and sensitivity are presented and displayed graphi-cally (Section IV), followed by a discussion and conclusions(Sections V and VI).

II. METHOD

In this section the models used for the distribution net-work and repair system are described first. Then the simulationbased method is presented that enables assessment of marginand sensitivity of electricity networks with respect to repair

LANDEGREN et al.: METHOD FOR ASSESSING MARGIN AND SENSITIVITY OF ELECTRICITY NETWORKS 3

system resources. The latter is considered to be the maincontribution of the paper.

A. Realisation of Simulation Model

A simulation model is used that consists of two sub-models:one representing the infrastructure network and the other rep-resenting the repair system. The infrastructure network isrepresented as a graph G(V, E) where V consists of N nodesand E consists of M edges (see [19]).

V = [n1 n2 . . . nN] (1)

E = [ e1 e2 . . . eM] (2)

The complete set of components in the network, C, isconstituted by the sets V and E, i.e.:

C = [ n1 n2 . . . nN e1 e2 . . . eM ]

= [ c1 c2 . . . cN+M] (3)

An adjacency matrix A is used to represent the connections inthe network:

A =⎡⎢⎣

a11 · · · a1N...

. . ....

aN1 · · · aNN

⎤⎥⎦ (4)

Where aij is 1 if ni is connected to nj by means of an edgeand 0 if no connection exists. In the network the followingcomponents are represented: primary substation transform-ers, -busbars, and -breakers, secondary substations and cables.Three fault modes may occur in secondary substations: trans-former, busbar and cable ending faults. All faults entail lossof supply for customers at the given station. The secondarysubstation transformer is used for supplying the low voltagenetwork, with a voltage level of 0.4 kV. In case of transformerfailure it can be isolated from the busbar, hence allowingtransmission of electricity to the rest of the medium volt-age network through the busbar. Therefore transformer faultsin secondary substations do not affect the topology of themedium voltage network. Cable ending faults and switchgearfaults on the other do affect the topology; no electricity canbe transmitted through the affected station.

Faults of nodes are represented using two boolean vectors,B1 and B2, each with dimension N. If element i in B1 is onethis means that node i has experienced a failure. If element iin B2 is one the failure is a secondary substation transformerfault. A given node i will transmit power if it has not failed,in which case the i:th element in B1 is 0, or if it has a trans-former failure, in which case the i:th element in B1 and B2 areboth 1. A failure of cable ei connecting nj and nk is simulatedby setting ajk and akj to 0. A breadth-first search strategy isused to find all nodes that can be reached from at least onetransformer.

Capacity is not considered in the network model, i.e., thereis no limit concerning the amount of power that can passthrough cables or transformers. A customer is therefore consid-ered to be supplied with power if there is at least one unbrokenpath leading from the substation supplying the customer toat least one in-feed transformer. This is admittedly a simpli-fied model. It will give accurate results for low strain sizes

Fig. 2. Overview of repair system model, including repair teams, r1, threequeues and stock containing materiel,

[r2 r3 . . . rn

]. (BUP=backup power).

since the network is dimensioned to allow feeding of stationsthrough all paths leading to it (i.e., loop distribution from theprimary substations). For higher levels of strain there is a riskthat both the number of affected customers and restorationtimes are underestimated, as power supply can theoreticallycome from farther transformer stations than planned for thenormal capacity of the cables. It should be mentioned how-ever that in case of such high strains the network company islikely to demand of customers that consumption is reduced,thus increasing the likelihood that the network capacity willbe sufficient to supply the basic demand of the customers.Such is the practice in the company studied in this paper. Itcould be possible to implement a model that also considerscapacity of cables, e.g., using an AC load flow model (a com-parison of different models is given in [20]). While this willgive results that would be even more precise, it will howeveralso lead to substantially increased simulation times given thehigh strain levels and amount of scenarios considered here.As argued by [20] topological models, and simplistic capac-ity models, while being simplifications can allow analysis ofgreater scenario spaces then is possible when using more com-plex models. In line with this argument, in the present researchoutage scenarios are analysed for a large number of differentresource conditions. This type of analysis could prove unman-ageable, due to excessive simulation times, if a more complexnetwork model is used.

Electricity outages are simulated using the network model.Sampled scenarios are used due to the excessive simulationtimes that would result if a complete scenario set was used.Samples are drawn randomly from the set of components, C,and all components are equally likely to be chosen. The strainmatrix containing sampled scenarios has the following form:

SM =⎡⎢⎣

c11 · · · cx1...

. . ....

c1S · · · cxS

⎤⎥⎦ (5)

Where x is the number of failed components and S is is thesample size. Each row in the strain matrix thus represents oneoutage scenario.

The repair system is represented as a queuing system(see Fig. 2) in which installation jobs and component faultsare served by a chosen number of 2-man repair teams, r1,using materiel, [r2r3 . . . rn], that are available in stock. Failuremodes and repair times of components are stochastic variables.


Sub-models: The repair system model has four types ofsub-models: jobs, queues, repair teams and stock. Jobs havea repair time and a vector specifying resources neededfor repair/installation as well as a specification concern-ing size of needed repair team. One queue holds backuppower (BUP) installation jobs, and one holds repair jobs. Anadditional queue holds completed jobs, thereby simplifyingpost-simulation analysis. Repair teams serve the first failurein the queue that is serviceable with resources in stock. Ifthis is required, repair teams can cooperate (i.e., two two-manteams can form a four-man team). The stock holds materielof different amounts (specified by a vector).

Process Overview and Scheduling: On each time step, it ischecked if the stock inventory and the number of repair teamsshould be updated (a matrix specifies when and by how muchthe inventory should be refilled). Repair teams do one of thefollowing:

If the repair team is currently working, it:• Returns non-consumable resources if the required usage

time has passed.• Finishes current repair/installation job if the job has been

serviced during its required service time. The repair teamthen becomes ready to take new assignments.

If the repair team is not currently working, it does one ofthe following:

• Joins a currently ongoing repair operation that is under-staffed.

• Begins repair on the first job in queue that can be servicedwith the available resources. The queue of backup powerjobs is preferred before the queue of repair jobs sincebackup power installation is more time efficient.

The repair system model was implemented in object ori-ented programming in Matlab�.

Job prioritization: Although variations may occur amongdistribution system operators (DSOs), prioritization of repairis likely to be decided to a high extent so that energy not sup-plied (ENS) is minimized. This goal is reached by prioritizingjobs that will bring back most load per hour of work time.Also, stations that supply customers that are critical to society(e.g., hospitals and police) are likely to be prioritized. In themodel installation and repair jobs are performed in descendingorder in accordance with UCi; meaning the utility of the jobwith respect to supply of critical customers. Faults that haveidentical UCi are ordered, amongst each other, in descendingorder in accordance with UPi; the utility of the job with respectto supply of lost load. UPi and UCi for BUP installation jobsare decided according to (6) and (7):

UPi = Pi/Ni (6)

UCi = Ci/Ni (7)

Where Pi is power demanded by secondary substation i, Ni

is number of BUP units needed to supply station i and Ci isa Boolean, being 1 if station i is supplying critical customers,otherwise 0. Work time is not considered when calculatingutility of BUP installations since we were informed by theDSO that time required for this installation is constant andtherefore will not affect the prioritization order among BUP

Fig. 3. Overview of the method for assessing margin and sensitivity.

installations. UPi and UCi for repair jobs are decided accordingto (8) and (9):

UPi = Pitot/Ti (8)

UCi = Citot/Ti (9)

Where UPi is utility of repairing fault i with respect to supplyof lost load, UCi is utility of repairing fault i with respect tosupply of critical customers, Pitot is total load brought backby repairing fault i. Ti is time required to repair fault i andCitot is total number of stations supplying critical customersthat are brought back by repairing fault i. In order to decidePitot and Citot all islands in the network are identified. Islandsare here defined as non-supplied, non-faulty and internallyconnected parts of the network, encompassing one secondarysubstation or more. Pitot and Citot can then be calculated asin (10) and (11):

Pitot = (Pi + PI1 + PI2 + · · · + PIx) ∗ bs (10)

Citot = (Ci + CI1 + CI2 + · · · + CIx) ∗ bs (11)

Where PIj is the total power demand in the j:th island that hasmember components that are connected to component i, bs isa Boolean being 1 if component i is connected to suppliedregion in the network, otherwise 0 and CIj is the total numberof stations supplying critical consumers in the j:th island thathas member components that are connected to component i.

B. Assessment of Margin and Sensitivity

The overall structure of the here proposed method is shownin Fig. 3. The method consists of five main steps, one ofwhich concerns simulation of electricity network restorationprocesses. The following section discusses the five main steps.The four sub-steps of the simulation step will not be dis-cussed further since these have been covered previously inthe presentation of the simulation model.

Choosing strain levels: Both small strain levels, such asN-1 and N-2, and larger strain levels should be included inthe analysis, considering that the former represent more likely


Fig. 4. Graphical illustration of margin and sensitivity with respect toresource ri. White bars indicate that SR is fulfilled, grey that it is not fulfilled.Black dot indicates present state of system.

scenarios, while the latter, although infrequent, may have dis-astrous consequences. (N-k refers to failure of k out of thetotal number of components in the network.)

Choosing safety requirement: A safety requirement (SR) isdecided, which specifies a time limit when electricity networkservices should be fully restored as well as a degree of cer-tainty that restoration will occur within the specified time limit(e.g., 95, 99 or 100%).

Choosing resources to vary: Sensitivity experiments are per-formed in order to find out how mean restoration time andfulfilment of SR depend on repair system resources. Sensitivityexperiments are carried out by changing one or more sys-tem variables over a wide range to see how the systemresponds [21]. This is here done for two variables simulta-neously. Resources varied in the analysis are chosen fromthe overall set of repair system resources, r = [r1 r2 . . . rn],encompassing n different types of resources. Repair resourcesare of two main types: personnel (repair teams) and materiel.For a given resource, ri, to be included in the analysis, min-imum (rimin) and maximum (rimax) values as well as stepsize (ristep) must be decided. The values of ri used in theanalysis are [rimin, rimin+ristep, rimin+2 ∗ ristep, ... , rimax].Since sensitivity analyses are performed for two resourcesat a time, in a given analysis involving the two resourcesri and rj, simulations will be performed for the followingresource values:

Mi,j =⎡⎢⎣

rimin, rjmin · · · rimax, rjmin...

. . ....

rimin, rjmax · · · rimax, rjmax

⎤⎥⎦ (12)

Performing simulations: For two given resources ri and rj,a chosen number of simulations are sampled for each resourcecombination in Mi,j. The sample size needed to obtain a reli-able result is determined through convergence analysis (seeSection III). Based on the results from the simulations, thefulfilment of SR as well as mean restoration time, R, can bedecided for each resource combination in Mi,j.

Assessing margin and sensitivity: ri0 denotes the presentamount of resource ri. If resource ri is changed in discretesteps ristep, SR might change from being fulfilled to not beingfulfilled or vice versa (see Fig. 4). The system is then saidto have crossed a safety boundary. rib+ denotes the smallestamount of resource ri for which SR is still fulfilled, whilerib− denotes the largest amount resource ri for which SR isnot fulfilled. Notice that the value of rib+ and rib− (and hence

of margin and sensitivity as defined here) depend on the stepsize used (ristep). Margin and sensitivity concerning resourceri are defined according to (13) and (14):

Mi = ri0 − rib+ri0

(13)

S1i = R(rib−) − R(rib+) (14)

R denotes the capacity of the system to be restored andit is a function of the amount of resources of the system. Rcan potentially be defined in various ways; here however Ris the mean restoration time of the system. Mi indicates howclose the system is to the safety boundary with respect toresource ri (horizontal distance in Fig. 4). Mi can be nega-tive, in which case the system is at present not fulfilling SR.S1i is the increase in mean restoration time that occurs as thesystem moves across the safety boundary (from rib+ to rib−)(see Fig. 4). Hence a large sensitivity means that there isa large increase in mean restoration time as the safety bound-ary is crossed. S1i captures the meaning of sensitivity aschange in system behaviour near a boundary, that is suggestedby Woods. Here, also, an additional form of sensitivity, S2i,is proposed:

S2i = R(ri0) − R(rib+) (15)

S2i is the increase in mean restoration time that occurs asthe system moves from its present position to the safe side ofthe boundary (from ri0 to rib+), (see Fig. 4). Hence a large sen-sitivity means that there is a large increase in mean restorationtime as the system moves from the present position to the safeboundary value. S2i provides information about consequencesof movement within the safe area; something that is not pro-vided by S1i. If SR is either fulfilled for all values of ri or notfulfilled for all values of ri no safety boundary will exist withrespect to ri. Then rb+, rb−, Mi, S1i and S2i are undefined.Fig. 4 shows how the resilience metrics are related.

III. CASE STUDY

In this section, the method is applied in a case study on anelectricity distribution system of a midsize city in Sweden. Thesystem in the case study has also been studied in [22] and [23].It is an 11kV system consisting of altogether 1203 compo-nents: 539 nodes (secondary substations as well as primarysubstation transformers, busbars and breakers) and 664 cables.87 out of the 401 secondary substations supply customers thatare critical for society. The network is supplied from 10 in-feedtransformers from higher voltage levels and serves roughly40,000 customers. Eight of the transformers have a capacityof 40 MW. The remaining two are owned by another DSOand for the supply of the studied system there is a capacitylimit of 8.5 MW imposed for each transformer. The total trans-former capacity is 337 MW. The yearly mean power demandof the customers is close to 100 MW. The fact that trans-former capacity is so much larger than normal consumptionmeans that shortage of capacity is unlikely to occur.

A. Parameterization of the Simulation Model

The simulation model is parameterized based on data gath-ered through interviews with employees at the electricity


TABLE IARRIVAL OF REPAIR TEAMS AND RESOURCES. ∞ INDICATES

THAT RESOURCES ARE SUFFICIENT FOR ANY

KIND OF REPAIR ACTIVITIES

distribution company. Table I shows information from theinterviews concerning amount of repair system resources thatare available over time.1 ∞ indicates that resources are suffi-cient for any kind of repair activities. As is seen in Table I,after 12-24 hours most resources become sufficient for anykind of repair activities. This is due to the fact that theDSO studied here co-operates with other DSOs and is therebygranted resources, here modelled as being infinite, when itsown resources are insufficient. Two kinds of materiel, excava-tors and trucks, are not permanently consumed but are returnedto the stock after some usage time, deterministically set to3.5 hours in accordance with information from the DSO.

The interviews also concerned information about failuremodes, repair time and resources needed for repair of compo-nents (see Table II). For many types of repair jobs the repairtime is uncertain (uncertainty interval is denoted with brack-ets). Repair times are here modelled assuming rectangulardistribution in the uncertainty interval. From the interviewsit became clear that a 2-man team can perform a repair jobthat requires a 4-man team, but the repair time will then dou-ble. If a repair team joins an already ongoing but understaffedrepair operation, the remaining repair time is assumed to behalf as long.

Supply of customers can be achieved not only through repairof faulty components, but also through installation of backupsolutions (see Table III). Installation of a spare station has thesame effect as repair of a faulty station. Installation of BUP isa relatively quick way of restoring supply; however the out-put power of BUP units is limited to 400 kW. In the modelit is therefore assumed that stations with a yearly mean load>400 kW (≈10% of the stations in the studied network) willrequire two BUP units in order to be supplied. The DSO hasstated that they will not install more than two BUP units at

1The amount of transformers and switchgear that is immediately availableis assumed, since this information was not acquired through the interviews.

TABLE IICOMPONENT FAILURE DATA, BRACKETS INDICATE UNCERTAINTY

TABLE IIITYPES OF INSTALLATIONS THAT CAN BE PERFORMED

a station. Therefore, in the model, stations with mean yearlypower consumption >800 kW (≈2.5% of the stations) cannotbe supplied with BUP. Installation of mobile primary substa-tions, finally, provides a substitute for faulty transformers andbusbars in primary substations.

B. Simulation of the System

Semi-discrete event simulation is used. The simulationmodel is initially run continuously, meaning that a constanttime step (1/4 hours) is used. However, three types of events(installation of mobile primary substations, repair of trans-formers and repair of busbars) occur after long time intervalsmaking discrete event simulation advantageous. Fig. 5 showsthe division that is made between the continuous and discreteevent simulation domains, as well as the time points at whichdiscrete events occur. Installation of mobile primary substa-tions and repair of transformers is limited by available mobileprimary substations and primary substation transformers (two


Fig. 5. Continuous and discrete event simulation domains.

are available of each). Repair of busbars is here not assumedto be a limiting factor, meaning that all faulty busbars will berepaired when the 30 days repair time has passed.

C. Convergence Analysis

15,000 samples is used for analysis of all levels of strain andresource conditions. This leads to a total simulation time forthe entire analysis of about 28 days (simulations were run inparallel on a computer with 32 GB of RAM, 64-bit operatingsystem and an eight core 4 GHz processor). The so calledcoefficient of variation, β, is used to assess the convergenceof the results [24]. The coefficient of variation is given byequation (16).

β =√

V(F)/NS

E(F)(16)

Where V(F) is the variance in the result F, NS is the numberof samples and E(F) is the expected result. This is calculatedin accordance with below:

E(F) =∑NS

j=1 F(Xj

)

NS(17)

Assessment is made for three levels of strain, N-1, N-6 andN-12, which covers the range of strain included in the analysis,as well as for several resource conditions, chosen so as tocover the extremes of the resource sets investigated in theanalysis. The resource conditions are: normal (see Table I),as well as variation in the following resources: 2-man repairteams, excavators, trucks, cable and BUP units. Two types ofvariation are considered: resource depletion, meaning that thevaried resource is set to zero (or one in the case of repairteams) and resource abundance, meaning that the resource isset to twice its normal amount. All resources except the onevaried retain their normal value. In all investigated cases β isbelow 3%. β-values below 5 [25] and 6% [24] have previouslybeen considered to indicate good convergence.

D. Choice of Safety Requirement and Varied Resources

SR is defined as restoration of power supply to all cus-tomers within 24 hours in 95% of the simulated scenarios.The reason for using a 24 hour limit is that a Swedish regu-lation, in place since 2011, demands that no customer shouldsuffer more than 24 hours of outage. A finding that is madeis that for all levels of strain and resource conditions some

scenarios will have a restoration time that is much longer than24 hours. Seeing that 100% safety is not attainable for anyof the analysed resource levels it is instead investigated whatis needed in terms of resources to at least achieve restorationwithin 24 hours in 95% of the scenarios.

The following repair system resources are considered in theanalysis: 2-man repair teams, excavators, trucks, cable andBUP units. The remaining repair system resources (transform-ers, switch-gear, breakers and spare stations) were initiallyconsidered as well but preliminary analysis showed them tohave a little impact on the restoration time and they are there-fore not included in the final analysis. Here all resources arevaried in combination with BUP units. In this way two basicstrategies can be contrasted: achieving restoration throughrepair or through deployment of BUP units. The maximumand minimum values for the resources are generally chosenso that increase as well as decrease from the present amountof resource is explored. Cable is however analysed only forvalues significantly smaller than the present amount. This isdue to the fact that the studied DSO has more cable availableat present than could be needed for any of the strain sizessimulated here.

IV. RESULT

The analysis in the case study is performed for six differentlevels of strain (N-1, N-2, N-3, N-6, N-9 and N-12) as wellas for five different kinds of repair system resources (repairteams, excavators, trucks, cable and BUP). Margin and sensi-tivity is calculated and presented for all six levels of strain.To exemplify the results, 3D-graphs are presented for three ofthese strain levels (N-1, N-6 and N-12) and for three of theseresources. The DSO estimated that repair system resources(repair teams and materiel) would arrive within an intervalbounded by the lower limit of 12 hours and the upper limit of24 hours. Hence, analyses are here performed for two differ-ent cases; resource delivery time (RDT) of 12h and RDT of24h. For sake of brevity, repair teams, excavators, trucks, cableand BUP are respectively abbreviated with rep, exc, truck,cable, bup.

Fig. 6 (A-C) show the results obtained when number ofBUP units is varied in combination with trucks, repair teamsand cable. It can be seen from Fig. 5 A and B that the sys-tem at its present position in the parameter space has a meanrestoration time of less than 2 hours for N-1 level of strain,about 5 hours for N-6 and about 7 hours for N-12 for bothof the cases RDT=12h and RDT=24h. The systems presentposition, however, cannot be seen in Fig. 6 C, since the sys-tem presently has more cable than any of the values used inthe analysis. It can also be seen from Fig. 6 (A-C) that thesystem at its present position in the parameter space fulfilsSR for all levels of strain and both cases of RDT. In otherparts of the parameter space, change in RDT has significanteffects. For RDT=12h (see graphs on the left side in Fig. 6(A-C)) the system can have any of the analysed resource com-binations and still fulfil SR for all three levels of strain. Also,mean restoration time increases only moderately with reduc-tion in resource levels. In contrast, for RDT=24h (right sidein Fig. 6 (A-C)) for all analysed levels of strain some analysed


Fig. 6. BUP is varied together with A) trucks, B) repair teams C) cable.Strain level for each bar graph (N-1, N-6 or N-12) is shown on the rightside in each graph. Height of bars show mean restoration time. Areas whereSR is fulfilled are white, remaining areas are grey. Graphs in left column areobtained for RDT=12h, graphs in right column are obtained for RDT=24h.Black point shows present position of system.

resource combinations will lead to SR being unfulfilled. It canalso be seen that the area in which SR is not fulfilled expandwith increasing level of strain, in other words in most casesmargin is decreasing with increasing level of strain. We canalso see that in many cases mean restoration time is increasingsharply as level of resources is reduced.

Fig. 7 A, B and C respectively show margin, sensitivity1and sensitivity2 for all six levels of strain and the five types

Fig. 7. Margin (A) Sensitivity 1 (B) and Sensitivity 2 (C) with respect torepair teams (o), excavators (triangle), trucks (*), cable (x) and 400 kVA BUPunits (star).

of resources included in the analysis. As is seen in Fig. 7, whenassuming RDT=12h, margin and sensitivity are generallyundefined. Results are therefore shown only for RDT=24h. Asthe effects of different levels of BUP units has been contrastedagainst varying levels for the rest of the resources, mean valuesof Mbup, S1bup and S2bup are presented. From Fig. 7 A we seethat at strain levels N-3 and below only Mtruck is defined, andit is relatively high, >0.7, meaning that 70% of the resourcecan be lost without loss of safety. For strain levels N-6 andabove Mbup and Mexc are also defined. At strain level N-6 mar-gin is relatively high for all resources (>0.6). At higher levelsof strain Mexc remain unchanged, while Mtruck and Mbup godown to about 0.5 and 0.3 respectively, meaning that reduc-tions in number of trucks >50% and number of BUP units>30% will lead to loss of safety. Finally, we see that Mcable

and Mrep are defined only at the N-9 and N-12 levels of strainand both are high (≈1 and ≈0.7 respectively).

From Fig. 7 B left, we see that at strain levels N-3 andbelow, S1truck is increasing from ≈7 hours to ≈15 hours,showing that exceeding the safety boundary with respect totrucks will result in considerable increases in mean restora-tion time. At the N-6 level of strain S1bup and S1exc arequite low, ≈2 hours, while S1truck reaches a maximum of≈17 hours. At N-9 and N-12 levels of strain S1rep and S1exc

are about 4 hours, and S1bup and S1cable are very small,≈1 hour. S1truck decreases a bit at N-9, and drops significantlyat N-12 level of strain, to about 4 hours. It might appear coun-terintuitive that sensitivity can decrease with level of strain.This however results from an increase in mean restorationtime under present resource condition, R(r0), or in the safeboundary value, R(rb+), which thereby makes the transitionsto and across the boundary less felt.

Fig. 7 C shows how S2 varies with level of strain. S2 isgenerally calculated in relation to the present mean restora-tion time of the system (see equation (15)). In the case ofcable it is however calculated against the case that we havethe maximum amount of cable used in the analysis, 270 m. The


result obtained for this amount is equivalent to that obtainedfor the present amount, 2000 m, since the largest amount thatcould be required given the largest level of strain used in theanalysis, N-12, is 12*20=240 m; where 20 m is the amountneeded to join two cable sections. From Fig. 7 C we see thatfor strain levels N-3 and below S2truck is small (<1 hour).Hence reducing the number of trucks to its safe boundaryvalue (rb+) will lead to an increase in mean restoration timeof less than an hour. At the N-6 level of strain S2truck and S2bup

are about 2.5 hours and S2exc is close to zero. At the N-9 levelof strain S2truck reaches a peak value of ≈4 hours and goesdown to ≈2 hours at the N-12 levels of strain. S2bup is around2 hours and values for remaining resources are relatively low(<1 hour).

V. DISCUSSION

Much research has been done on resilience of infrastructuresystems. However the issues of margin and sensitivity haveso far not been subject to much study. This paper presentsa method for quantitative assessment of margin and sensi-tivity of electricity networks with respect to repair systemresources. The applicability of the method was demonstratedin a case study. The suggested method can hence be useful forDSOs as a means of monitoring their performance in relationto a decided safety requirement.

The study yielded a number of interesting results. It wasshown that the studied DSO at present fulfils the safetyrequirement for all analysed levels of strain. This means thatthe DSO is able to restore power supply to all customerswithin 24 hours in at least 95% of the investigated scenarios.However, if even larger strains than N-12 would occur, thisconclusion will most likely not hold. The method can thusbe used to investigate if restoration of power supply is withinthe 24 hour time limit that is demanded by Swedish law. Theresults furthermore revealed how changes in resources wouldaffect fulfilment of SR as well as mean restoration times,thereby indicating possible scarcity or abundance of resources.Margin can only be considered low at the N-12 level of strain,and then primarily with respect to BUP units, and, to a smallerextent, with respect to trucks. It was also found that sensi-tivity1 is highest with respect to trucks, and sensitivity2 ishighest with respect to trucks and BUP units. This shows thatreduction in number of trucks and BUP units will generallyhave largest impact on system performance. Furthermore, thecase study demonstrated the importance of not only consider-ing present safety performance of the system. At its presentplace in the system parameter space, change of delivery timeof external resources (RDT) has little effect on the systemssafety performance, leaving fulfilment of SR unaffected andmean restoration time approximately the same. In surroundingareas in the parameter space, change in RDT is found to havelarge impact on restoration time.

A. Validity of the Models

The validity of the presented results depends on severalfactors. One factor is that only topology, and not capacity,is taken into account in the network model. This may lead

to underestimation of both number of affected customers andrestoration time when the largest strain sizes are simulated,since supply can come from secondary substations furtheraway. In effect this may cause margin to be overestimated andsensitivity to be underestimated. If the here presented methodis applied in the industry for analysis of high levels of strainit could be desirable to use a model that also considers someaspects of network capacity, such as capacity of transformers.Using an AC load flow model can however make the analysisunmanageable due to overly long simulation times, if a largenumber of resource conditions are assessed. There is a trade-off between the precision with which the network is modelledand the size of the resource parameter space investigated. Inthe study double stations, i.e., stations housing two sets oftransformers (making out 12% of the total number of stationsin the network) were treated as single stations, i.e., the twotransformers were treated as one. Also, satellite stations, i.e.,stations in the periphery of the network that do not containswitchgear, were treated as normal stations. They could there-fore have switchgear faults in the model which in reality arenot possible. This leads to an overestimation of vulnerabil-ity of the system with respect to transformer and switch-gearfaults. Despite these overestimations, results showed amountof transformers and switch-gear in stock to have little impacton system performance. Concerning prioritization of jobs, onlyimmediate consequences of job completion were considered.This can lead to sub-optimal repair strategies in cases wheremultiple repair jobs are required to bring back power to oneor more customers.

B. Future Work

Three main directions for future research can be distin-guished. Firstly, the here presented method can presently onlybe used to perform sensitivity experiments with respect to twosystem parameters at a time. It is possible to develop themethod to take into account changes of the system occur-ring in an N-dimensional resource parameter space, givenN>2. Considering that infrastructure systems are generallysocio-technical systems, and as such prone to undergo simul-taneous change in multiple variables, it could be valuableto develop an analysis method along these lines. A seconddirection for future research will be to apply the suggestedmethod to infrastructure systems other than electricity net-works. The method might be applicable for analysing a widerange of infrastructures, including transport, water, telecom-munication, and IT-systems. A third direction for research is totake into account the effect that infrastructure interdependen-cies could have on the repair system. In particular, repair workmay be heavily dependent on telecommunication and trans-port systems. These dependencies are likely to be especiallypronounced in electricity networks spanning wider areas.

VI. CONCLUSION

A method was presented that enables quantitative assess-ment of margin and sensitivity of electricity networks withrespect to repair system resources; two aspects of infrastruc-ture resilience which have hitherto not been subject to much


study. It has been found that the presented method can beuseful for DSOs as a means of assessing their ability to copewith serious disturbances. It is also shown how this abilityis affected by changes in repair system resources. Resultsobtained enable a graphical display of margin and sensitivityof the system thereby making these system properties easilyaccessible. Based on this information decisions can be madeconcerning what amount of repair system resources that isappropriate.

REFERENCES

[1] M. Toll, “Storm Gudrun—What can be learnt from the naturaldisaster of 2005?” Swedish Energy Agency, Eskilstuna, Sweden,Tech. Rep. ET 2007:36, 2007.

[2] X. Chen, C. Deng, Y. Chen, and C. Li, “Blackout prevention: Anatomyof the blackout in Europe,” in Proc. Int. Power Eng. Conf., Singapore,2007, pp. 928–932.

[3] A. Boin, L. K. Comfort, and C. C. Demchak, “The rise of resilience,”in Designing Resilience: Preparing for Extreme Events. Pittsburgh, PA,USA: Univ. Pittsburgh Press, 2010, ch. 1, pp. 7–12.

[4] M. Ouyang, L. Dueñas-Osorio, and X. Min, “A three-stage resilienceanalysis framework for urban infrastructure systems,” Struct. Safety,vols. 36–37, pp. 23–31, May/Jul. 2012.

[5] E. D. Vugrin, D. E. Warren, and M. A. Ehlen, “A resilience assess-ment framework for infrastructure and economic systems: Quantitativeand qualitative resilience analysis of petrochemical supply chains toa hurricane,” Process Safety Progr., vol. 30, no. 3, pp. 280–290, 2011.

[6] D. D. Woods, “Essential characteristics of resilience,” in ResilienceEngineering: Concepts and Precepts. Burlington, VT, USA: Ashgate,2006, pp. 21–34.

[7] T. McDaniels, S. Chang, D. Cole, J. Mikawoz, and H. Longstaff,“Fostering resilience to extreme events within infrastructure systems:Characterizing decision contexts for mitigation and adaptation,” Glob.Environ. Chang, vol. 18, no. 2, pp. 310–318, 2008.

[8] M. Bruneau et al., “A framework to quantitatively assess and enhancethe seismic resilience of communities,” Earthq. Spectra, vol. 19, no. 4,pp. 733–752, 2003.

[9] J. H. Kahan, A. C. Allen, and J. K. George, “An operational frameworkfor resilience,” J. Homel. Security Emerg. Manag., vol. 6, no. 1, 2009,pp. 1–48.

[10] D. Mendonça and W. A. Wallace, “Factors underlying organizationalresilience: The case of electric power restoration in New York Cityafter 11 September 2001,” Rel. Eng. Syst. Safety, vol. 141, pp. 83–91,Sep. 2015.

[11] H. Liu, R. A. Davidson, and T. V. Apanasovich, “Statistical forecastingof electric power restoration times in hurricanes and ice storms,” IEEETrans. Power Syst., vol. 22, no. 4, pp. 2270–2279, Nov. 2007.

[12] D. A. Reed, K. C. Kapur, and R. D. Christie, “Methodology for assessingthe resilience of networked infrastructure,” IEEE Syst. J., vol. 3, no. 2,pp. 174–180, Jun. 2009.

[13] M. Isumi, N. Nomura, and T. Shibuya, “Simulation of post-earthquakerestoration of lifeline systems,” Int. J. Mass Emerg. Disasters, vol. 3,no. 1, pp. 87–105, 1985.

[14] F. Kozin and H. Zhou, “System study of urban response and reconstruc-tion due to earthquake,” J. Eng. Mech., vol. 116, no. 9, pp. 1959–1972,1990.

[15] R. H. Zhang, “Lifeline interaction and post-earthquake urban systemreconstruction,” in Proc. 10th World Conf. Earthq. Eng., Madrid, Spain,1992, pp. 5475–5480.

[16] R. E. Brown, S. Gupta, R. D. Christie, S. S. Venkata, and R. Fletcher,“Distribution system reliability assessment: Momentary interruptionsand storms,” IEEE Trans. Power Del., vol. 12, no. 4, pp. 1569–1575,Oct. 1997.

[17] N. Balijepalli, S. S. Venkata, C. W. Richter, Jr., R. D. Christie, andV. J. Longo, “Distribution system reliability assessment due to light-ning storms,” IEEE Trans. Power Del., vol. 20, no. 3, pp. 2153–2159,Jul. 2005.

[18] T. Tabucchi, R. Davidson, and S. Brink, “Simulation of post-earthquakewater supply system restoration,” Civ. Eng. Environ. Syst., vol. 27, no. 4,pp. 263–279, 2010.

[19] J. Johansson, “Risk and vulnerability analysis of interdependent techni-cal infrastructures: Addressing socio-technical systems,” Ph.D. disserta-tion, Dept. Meas. Technol. Ind. Elect. Eng., Lund Univ., Lund, Sweden,2010.

[20] S. LaRocca, J. Johansson, H. Hassel, and S. Guikema, “Topological per-formance measures as surrogates for physical flow models for risk andvulnerability analysis for electric power systems,” Risk Anal., vol. 35,no. 4, pp. 608–623, 2015.

[21] S. F. Railsback and V. Grimm, “Emergence,” in Agent-Based andIndividual-Based Modeling: A Practical Introduction. Princeton, NJ,USA: Princeton Univ. Press, 2011, p. 104.

[22] H. Jönsson, J. Johansson, and H. Johansson, “Identifying critical compo-nents in technical infrastructure networks,” Proc. Inst. Mechanical Eng.,O J. Risk Rel., vol. 222, no. 2, pp. 235–243, 2008.

[23] F. Landegren, J. Johansson, and O. Samuelsson, “Comparing soci-etal consequence measures of outages in electrical distribution sys-tems,” in Proc. Eur. Safety Rel. Assoc. Conf., Wrocław, Poland, 2014,pp. 189–196.

[24] A. Sankarakrishnan and R. Billinton, “Sequential Monte Carlo sim-ulation for composite power system reliability analysis with timevarying loads,” IEEE Trans. Power Syst., vol. 10, no. 3, pp. 1540–1545,Aug. 1995.

[25] J. M. S. Pinheiro, C. R. R. Dornellas, M. T. Schilling, A. C. G. Melo, andJ. C. O. Mello, “Probing the new IEEE reliability test system (RTS-96):HL-II assessment,” IEEE Trans. Power Syst., vol. 13, no. 1, pp. 171–176,Feb. 1998.

Finn Erik Landegren received the M.S. degreein socio-technical systems engineering from theUniversity of Uppsala, Sweden, in 2010. He iscurrently pursuing the Ph.D. degree in automationwith Lund University. His research interests are inresilience analysis of critical infrastructure systemsin general and electrical distribution systems in par-ticular, focusing on modelling and simulation ofinfrastructures with special emphasize on recoveryof service after disruptions and how society dependson a reliant supply of electricity.

Jonas Johansson received the M.Sc. degree in elec-trical engineering and the Ph.D. degree in automa-tion from Lund University, Sweden, in 2003 and2010, respectively. He is currently an AssociateProfessor in Critical Infrastructures with the Divisionof Risk Management and Societal Safety, LundUniversity. His main research areas of interest areresilience, vulnerability, and risk management ofcomplex systems, particularly large-scale interde-pendent critical infrastructures and how societydepend on the services these provide. Infrastructure

applications include power, railway, telecommunication, and water supplysystems. Societal applications include municipal, regional, and governmen-tal aspects of crisis management from a resilience perspective, focusing oninterdependencies among societal functions and critical infrastructures. From2007 to 2013, he was an Infrastructure Risk Consultant with Grontmij AB,Sweden. In 2012, he was a Visiting Scholar with Johns Hopkins University,USA. He is a Co-PI of the Centre for Critical Infrastructure ProtectionResearch and affiliated to Lund University Centre for Risk Management.

Olof Samuelsson received the M.Sc. and Ph.D.degrees from Lund University, in 1989 and 1997,respectively, where is a Professor of Electric PowerSystems at the Division of Industrial ElectricalEngineering and Automation. His research coverstransmission issues such as dynamics (damping,inertia), stability, and large disturbances (includ-ing geomagnetically induced currents), as well asdistribution issues such as microgrids, integrationof distributed generation, and resilience to largedisturbances.

Paper II

978-1-5090-2320-2/16/$31.00 ©2016 IEEE

A Hybrid modell for Assessing Resilience of

Electricity Networks

Finn Landegren & Olof Samuelsson Division of Industrial Electrical Engineering and

Automation Lund university

Sweden

Jonas Johansson Division of Risk Management and Societal Safety

Lund university Sweden

Abstract A hybrid model is used for quantification of three resilience metrics: robustness, rapidity and resilience loss. The approach is demonstrated in a case study on a municipal electricity distribution system. An overall conclusion from the case study is that the suggested method provides an overview of the resilience metrics of the electricity distribution system and that it allows the network operator to see for what levels of strain that they reach their targets concerning system resilience. It is also concluded that the presented approach can enable assessment of how decision variables, relating to the technical network as well as to the repair system, are impacting system resilience.

Keywords Electricity network, resilience, robustness, rapidity, restoration time, recovery, simulation

I. INTRODUCTION

Modern society is increasingly dependent on electricity. For this reason electricity distribution systems should be designed to be resilient, meaning that they can either withstand chocks with minor loss of functionality or otherwise quickly recover lost functionality. The importance of achieving more resilient electricity networks is reflected in regulations governing the electricity sector. For instance, in Sweden, legislation demands that electricity outages should not be longer than 24 hours. This legislation sets a standard for the resilience of electricity networks. In order for distribution system operators (DSOs) to abide by laws such as this one and enable design of more resilient electricity networks, resilience metrics are needed as well as methods and models for their quantification. The research question posed here is if a hybrid model, previously presented in [1], is applicable for quantification of three resilience metrics: robustness, rapidity and resilience loss. In order to answer this question the model is used in a case study on a municipal electricity distribution system.

II. THEORY

Three key resilience metrics are studied: robustness, rapidity and resilience loss. These metrics have been subject to much research previously, as is seen in a recent review of resilience [2]. The contribution of this paper is the application of a hybrid model for assessing these three resilience metrics using real-life data. As suggested by [3] recovery time ( )

provides a measure of robustness, where is the initial loss in normalized functionality. and are, in accordance with [3], calculated as in (1) and (2):

(1)

(2)

denotes the system functionality at time . Functionality could potentially be understood in several ways, such as for instance, the amount of customers supplied. Here, however, it is understood as amount of power supplied normalized through division with power demanded. is the time point of the disturbance and is the time point at which full recovery occurs. Resilience loss ( ) is calculated through (3), in accordance with [4].

(3)

Where is the functionality of the system at time . Fig. 1, which exists in many versions e.g. in [4], illustrates how the three metrics are related to the so called resilience curve, showing the functionality of a disrupted system over time.

Fig. 1. Resilience curve showing level of functionality of a disrupted system over time.

In order to quantify the mentioned resilience metrics an assessment must be made of system functionality over time. Five main approaches can be distinguished that can be used for this purpose: 1) empirical curve fitting (e.g. [5]), 2) deterministic resource constraints (e.g. [6]), 3) Markov process approach (e.g. [7]), 4) statistical regression (e.g. [8]), and 5) simulation (e.g. [9]). Here approach 5) is employed; a

method based on Monte Carlo simulation is used for assessing system resilience. The main reason for why we use simulation is that it makes it possible to explicitly consider repair system resources and their impact on the restoration process. This is either not possible, or only possible to a limited extent with competing approaches.

III. HYBRID MODEL

Simulations are done using a hybrid model which considers the technical network, represented using graph theory, as well as the repair system, represented by a queuing model. Only corrective, and not predictive, maintenance is considered in the model. The model has been used in [1] and is presented here only so that the results can be understood. The contribution of this paper is the application of the model in a new context, namely for assessing three resilience metrics. The technical network is represented as a graph where

consists of nodes and consists of edges (see e.g. [10]).

(4)

(5)

The complete set of components are described by a vector .

(6)

An adjacency matrix describes the network connections.

(7)

is 1if there is a connection between nodes and , and 0 if there is no connection. The following components are represented as nodes: primary sub-station transformers, -busbars and -breakers, and secondary sub-stations. Cables are represented as edges. Three fault modes may occur in secondary sub-stations: 1) busbar fault, 2) cable ending fault and 3) transformer fault. All faults lead to loss of supply for customers at the given station. Transformer faults will not affect the stations ability to transmit power through the network, while other faults entails that no power can be transmitted across the station. Two Boolean vectors, and

, are used for representing faults of nodes, both with dimension . If the :th element in is 1 this means that node has experienced a failure, if it is 0 no failure has occurred. If the :th element in is 1 this means that it is a secondary sub-station transformer fault, if it is 0 it is not. Node will transmit power if it has not failed, in which case the :th

element in is 0, or if it has experienced a transformer failure, in which case the :th elements in and are both 1. A failure of an edge connecting nodes and is simulated by setting elements and in the adjacency matrix to 0. A breadth first search strategy is used to find all nodes that can be reached from at least one primary sub-station transformer.

Capacity is not considered in the model, i.e. there is no limit set on how much power that can pass through cables and transformers. A customer is considered to be supplied if there is at least one unbroken path leading from a primary sub-station transformer to the secondary sub-station supplying the

customer. This is admittedly a simplified model. It will give accurate results for low levels of strain if the network is dimensioned to allow feeding of stations through other paths. For higher levels of strain there is a risk that both the number of affected customers and the restoration time is underestimated. During such extraordinary events it is likely, though, that the network operator demands of customers to reduce their consumption, thus increasing the likelihood that the network capacity will be sufficient. Such is the practice in the network studied in this paper. It would be quite straight forward to consider network capacity by for instance using the model in [10]. While giving results that are more precise this will also lead to longer simulation times.

The network model makes it possible to simulate network disturbances of varying degree given the structure of the network. Sampled scenarios are used, since using a complete scenario set is computationally intractable. Samples are drawn randomly from the complete set of components, , and each component is equally likely of being selected. The selected scenarios can be represented in matrix form.

(8)

Where is the level of strain and is the number of samples used. Each row in the strain matrix corresponds to one sampled scenario.

The repair system is represented as a queueing system, (see Fig. 2), in which jobs are serviced by a specified number of two-man repair teams, using materiel, , that are in stock. Failure modes and repair times of components are stochastic variables.

Fig. 2. Overview of repair system model, including repair teams, , three queues and stock containing materiel, . (BUP=backup power)

Model entities: The repair system model consists of four types of model entities: jobs, queues, repair teams and stock. Jobs have parameters specifying repair time, materiel needed, as well as number of repair teams that are needed. One queue hold backup power (BUP) installation jobs, one queue holds repair jobs. An additional queue holds completed jobs, which simplifies post-simulation analysis. Repair teams serve the first job in queue that is serviceable with available resources. Repair teams can cooperate if required. The stock holds resources, amount of resources is specified with a vector.

Process overview: On each time it is checked if the stock inventory or the number of repair teams should be updated. The time points at which additional resources arrive as well as

the amount of resources arriving is specified by a matrix. Repair teams do one of the following:

If the repair team is working it:

Returns materiel to stock if the required usage time for these has passed.

Finishes current job if the job has been serviced for the required time. The repair team then becomes ready to take new assignments.

If the repair team is not currently working it does one of the following:

Joins a currently ongoing repair operation that is understaffed.

Begins work on the first job in queue that can be serviced with the available resources. The queue of backup power jobs is preferred before the queue of repair jobs because backup power installation is more time efficient.

The repair system model was implemented in object oriented programming in Matlab®.

Job prioritization: Although variations may exist among distribution system operators (DSOs), repair jobs are likely to be prioritized so that energy not supplied (ENS) is minimized. This goal is reached by prioritizing jobs that bring back most load per hour of work time. Stations that supply critical customers (e.g. hospitals and police) are likely to be prioritized. In the model, repairs are prioritized in descending order in accordance with , meaning the utility of the job with respect to restoring power to critical customers. Faults that have identical are prioritized amongst each other in descending order based on , meaning the utility of the job with respect to supply of lost load. and with respect to installation of backup power are calculated through (9) and (10).

(9)

(10)

Where is a boolean being 1 if station is serving critical customers, otherwise 0, is the number of backup power units required by station and is amount of power consumed by station . Work time is not considered when prioritizing backup installation jobs since we were told by the DSO that time required for installation of backup units is constant and therefore will not affect prioritization order. and of repair jobs are calculated through (11) and (12).

(11)

(12)

Where is utility of fault with respect to supplying critical customers and is the utility of fault with respect to supplying lost load, is total number of stations supplying critical customers that are brought back by repairing fault ,

is total power that is brought back through repairing fault

, is time required to repair fault . In order to decide and all network islands are identified. Islands are defined as internally connected, non-supplied and non-faulty parts of the network, encompassing one secondary sub-station or more.

and can then be calculated as in (13) and (14).

(13)

(14)

Where is the total number of stations serving critical customers in the :th network island, is the power consumed in the :th network island and is a Boolean, being 1 if component is connected to a supplied region in the network, otherwise 0.

IV. CASE STUDY

The hybrid model is demonstrated in a case study on a municipal electricity distribution system in Southern Sweden, which has also been studied from differing perspectives in [11] and [12]. The system supplies approximately 40,000 customers with a total power demand of 98 MW, averaged over the year. In the analysis six levels of strain are considered: N-1, N-2, N-3, N-6, N-9 and N-12 (N-k stands for a failure of k out of the total N network components).

The model is parameterized based on information gathered through interviews with employees at the DSO. In Table I we see resources that are available initially or that become available over time. nt for any amount of repairs. As is seen after 12-24 hours amount of most resource become sufficient for any number of repairs. This is due to cooperation existing between DSOs assuring that a DSO that is in need will get additional resources from other DSOs. Two kinds of resources, trucks and excavators, are not permanently consumed but are returned to the stock when a usage time has passed. The usage time is deterministically set to 3.5 hours in accordance with information from the DSO.

Information was also gathered concerning failure modes and repair times (see Table II). For many types of repair jobs the repair time is uncertain (uncertainty interval is indicated with brackets). Repair times are here modelled assuming rectangular distribution in the uncertainty interval. From the interviews we found that a 2-man repair team can perform a job that requires a 4-man team, but the repair time will then double. If a repair team joins an already ongoing, understaffed repair operation the remaining repair time is assumed to be half as long.

Supply of customers can be achieved not only through repair of components but also through use of backup solutions (see Table III). Installation of a spare station has the same effect as repair of a station. Installation of BUP units is a relatively quick way of restoring supply, but the output power of these units is limited to 400 kW. For this reason stations

stations in the studied network) are assumed to require two BUP-units. The DSO has stated that they will not install more than two BUP-units at a station. For this reason it is assumed that BUP units will not be installed at stations with an average

studied network). Finally, installation of mobile primary sub-stations makes it possible to substitute failed transformers and busbars at primary sub-stations.

TABLE I. ARRIVAL OF REPAIR TEAMS AND RESOURCES. INDICATES THAT RESOURCES ARE SUFFICIENT OR ANY KIND OF REPAIR ACTIVITIES.

Time Immediately

available Delivery1

(3h) Delivery2

(5h) Delivery3 ([12,24])

Two-man teams 1 13

Cable (m) 2000 Sec. Sub-

stat. Trans. 5

Truck 0 4

Excavator 3

Switchgear 3 5 Prim. Sub-

stat. Breaker 8

BUP 400 kW 6 10

Spare stat. 2

TABLE II. COMPONENT FAILURE DATA, BRACKETS INDICATE UNCERTAINTY.

Comp-onent

Fault mode

Rel. likeli-hood

Materiel used

Repair teams used

Repair time

Sec. Sub-stat.

Cable ending Fault 80%

Truck excavator cable(20m) 4-man 7 hours

Transfor-mer Fault 10%

Truck transformer 2-man

[4,8] hours

Switch-gear fault 10%

Truck excavator cable(20m) switch-gear 4-man

[7,10] hours

Prim. Sub-stat. Cable no digging

Truck cable(20m) 2-man 2 hours

Prim. Sub-stat. Cable, digging

Truck excavator cable(20m) 2-man

[5,7] hours

Other Cable

Easy to find 90%


[2,24] hours

Hard to find 10%


[48,72] hours

Breaker

Truck breaker cable(20m) 2-man 0.5 hours

A. Running simulations

The hybrid model is initially run continuously, meaning that a constant time step (¼ hours) is used. However, three types of events (installation of movable primary sub-stations, repair of primary sub-station transformers and -busbars) occur after

long time durations making discrete event simulation advantageous. Fig. 3 shows the division that is made between continuous and discrete simulation domains. Installation of mobile primary sub-stations and repair of primary sub-station transformers is limited by the number of available mobile primary sub-stations and transformers respectively. Two are available of each. Repair of busbars is here not assumed to be a limiting factor, meaning that all busbars will be repaired after 30 days.

TABLE III. TYPES OF INSTALLATIONS THAT CAN BE PERFORMED.

Type of installation

Resource required

Repair teams required Installation time

Spare station Spare station,

truck, excavator 4-man 10 hours

BUP BUP unit, truck, 2-man 1.5 hours Movable

Prim. Sub-stat.

5 days (transport. time included)

Fig. 3. Time of occurrence of discrete events.

15,000 samples is used in the analysis forall levels of strain. We use the coefficient of variation, , to assess the convergence of the result [13]. The coefficient of variation is calculated according to (16).

(16)

Where is the variance in the result , is the number of samples and is the expected result. The latter is calculated according to (17).

(17)

The assessment considers three levels of strain, N-1, N-6 and N-12, spanning the range of strains included in the analysis. In

2%. A -value of 6% has previously been considered to indicate acceptable convergence [13].

V. RESULTS

The DSO estimated that additional resources would arrive after between 12 and 24 hours. Results were obtained assuming the best (12 hours delivery time) and worst case (24 hours delivery time). It was found that differences in results were minor and therefore only results assuming resource arrival after 24 hours are shown here. In Fig. 4 we see rapidity and robustness for all simulated scenarios. 15,000 samples are used for each level of strain giving a total of 90,000 simulated scenarios. Concerning robustness the lowest values are close to 0.85, meaning that almost 15% of the load is lost.

Concerning rapidity we see that scenarios are divided into three clusters based on restoration time. The rightmost cluster consists of scenarios in which installation of movable primary sub-stations (occurring after 120 hours) is necessary for restoring load, the middle cluster of scenarios in which repair of long duration cable failures (having a repair time between 48 and 72 hours) is necessary for restoring load and the leftmost cluster consists of remaining scenarios. The majority of the scenarios are clustered in the top left corner, meaning that they are associated with relatively short restoration time and high robustness. A few scenarios are at the bottom of the graph (implying lower robustness) or to the right (implying longer restoration time). These scenarios should be of more concern for the network operator.

Results are obtained showing how robustness and rapidity changes with level of strain (see Fig. 5 A and B). It can be seen from Fig. 5 A that mean robustness decreases with level of strain down to an average of a about 0.985 for N-12 level of strain, meaning about 1.5% of the power will be interrupted on average. We see that there is a more rapid decrease in the 5%-percentile (dashed line). At the N-12 level of strain the 5%-percentile is 0.95, meaning that in 5% of the simulated scenarios the interrupted power is 5% or more. The 95%-percentile is very close to 1, showing that some of the high strain scenarios have very little impact on power supply. From Fig. 5 B we see that rapidity increases with level of strain, from an average of about 2 hours, at the N-1 level of strain, to an average of about 8 hours, on the N-12 level of strain. We also see an increase in the percentiles. The 95%-percentile increases from about 5 hours, at the N-1 level of strain to about 15 hours, at the N-12 level of strain. In other words, at the highest level of strain 5% of the scenarios will have a rapidity that is 15 hours or longer.

Fig. 4. Robustness and rapidity of the system is shown with respect to 90,000 samples equally divided among the strain levels N-1, N-2, N-3, N-6, N-9 and N-12.

Resilience loss is assessed for all scenarios and strains, see Fig. 6. Resilience loss is shown on a logarithmic scale meaning that a resilience loss of zero is not seen. We can in this way see what fraction of scenarios that will result in no outages for the different levels of strain. For N-1 strain only a bit more than a third of the scenarios will have any consequences for the customers while for N-12 scenarios all scenarios will impact customers. We can also see that the worst scenarios result in a resilience loss of close to 10, which

is the equivalent of an outage of the entire system for 10 hours.

VI. DISCUSSION

The main conclusion that can be drawn from the case study is that the proposed method is useful for assessing the resilience of electricity distribution networks with respect to robustness, rapidity and resilience loss. Concerning the studied system, it is found that robustness of the system is generally high. Even at the largest level of strain (N-12) only about 1.5% of the power supply will be disrupted on average, and less than 5% of the power supply will be disrupted in 95% of the scenarios. The system generally performs well also concerning rapidity. At the highest level of strain the rapidity will be about 10 hours on average and in 95% of the scenarios the rapidity will be 15 hours or lower.

Fig. 5. Mean (solid line) as well as 5 and 95%-percentiles (dashed lines) of robustness (A) and rapidity (B) for strains ranging from N-1 to N-12.

Fig. 6. Resilience loss of all scenarios. Unit of resilience loss is normalized user hours. Strain levels N-1(o), N-2(downward pointing triangle), N-3(*), N-6(x), N-9(square), N-12(upward pointing triangle).

Results obtained here make it possible for network operators to see how well they are performing at present in relation to three metrics that are crucial for assessing

resilience. The scatter plot showing robustness and rapidity of all simulated scenarios make it possible to identify outage scenarios for which rapidity is high or robustness is low. Improving performance with respect to these scenarios should be of special concern for the network operator. A further contribution of the work is that high levels of strain are analysed. While preparation for N-1 events is commonplace today, analysis of higher levels of strain is necessary in order to be able to handle extreme events. A possible application for the here described hybrid model is to explore the impact that decision variables have on system resilience. Such decision variables can be related to the technical network (e.g. investment in new network components) or the repair system (e.g. choices concerning amount of repair system resources and repair prioritization rules). The approach applied here, consisting in a combination of modelling of a technical network and a repair system, is generic and appears to be applicable not only to electricity distribution networks but also to electricity transmission networks as well as to a wider range of critical infrastructures; including transport, water, and telecommunication systems. In order to adapt the approach to these other systems the simulation models used will however have to be adapted in several ways. For instance, concerning modelling of resilience of electricity transmission systems travel times will be longer and, most likely, it will not be possible to disregard them as is the practice here. Exploring the possibilities for applying the approach on other types of systems should be a topic for future research.

VII. SUMMARY

A hybrid model is used for quantification of three crucial aspects of resilience: robustness, rapidity and resilience loss. The model is tested in a case study and is shown to be applicable for an electricity network. The obtained results revealed that the studied system generally has a high robustness and low rapidity. Illustration of all individual outage scenarios however revealed that for a small fraction of the scenarios robustness and rapidity are poor. A benefit of the suggested model is that these extreme scenarios can be identified and dealt with. A final conclusion from the work is that the here presented approach can be of use for assessing how decision variables related to the technical network (e.g. new network components) and the repair system (amount of available resources and repair prioritization rules) are impacting system resilience.

VIII. ACKNOWLEDGEMENT

Support from the DSO, that supplied the data, and the Swedish Civil Contingencies Agency (the PRIVAD-project), which funded the research, is greatly acknowledged.

REFERENCES

[1] F. Landegren, J. Johansson och O. Samuelsson, A Method for Assessing Margin and Sensitivity of Electricity Networks with Respect Repair System Resources, Submitted to IEEE Trans. Smart Grid.

[2] S. Hosseini, K. Barker och J. E. Ramirez-Marquez, A review of definitions and measures of system resilience, Reliability Engineering & System Safety, vol. 145, pp. 47-61, 2016.

[3] C. W. Zobel, Representing perceived tradeoffs in defining disaster resilience, Decision Support Systems, vol. 50, nr 2, pp. 394-403, 2011.

[4] M. Reinhorn, M. Shinozuk, K. Tierney, W. A. Wallace och D. von Winterfeldt, A Framework to Quantitatively Assess and Enhance the Seismic Resilience of Communities, Earthquake spectra, vol. 19, nr 4, pp. 733-752, 2003.

[5] D. A. Reed, K. C. Kapur och R. D. Christie, Method for assessing the resilience of networked infrastructure, Systems Journal, IEEE, vol. 3, nr 2, pp. 174-180, 2009.

[6] M. Isumi, N. Nomura och T. Shibuya, Simulation of Post-Earthquake Restoration of Lifeline Systems, International journal of mass emergencies and disasters, vol. 3, nr 1, pp. 87-105, 1985.

[7] F. Kozin och H. Zhou, System study of urban response and reconstruction due to earthquake, Journal of Engineering Mechanics, vol. 116, nr 9, pp. 1959-1972, 1990.

[8] H. Liu, R. A. Davidson och T. Apanasovich, Statistical forecasting of electric power restoration times in hurricanes and ice storms, IEEE Trans. Power Syst., vol. 22, nr 4, pp. 2270-2279, 2007.

[9] N. Balijepalli, S. S. Venkata, C. W. Richter Jr, R. D. Christie och V. J. Longo, Distribution system reliability assessment due to lightning storms, IEEE Trans. Power Del., vol. 20, nr 3, pp. 2153-2159, 2005.

[10] J. Johansson, Risk and vulnerability analysis of interdependent technical infrastructures: addressing socio-technical systems, Lund university, 2010.

[11] H. Jönsson, J. Johansson och H. Johansson, Identifying critical components in technical infrastructure networks, Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability, vol. 222, nr 2, pp. 235-243, 2008.

[12] F. Landegren, J. Johansson och O. Samuelsson, Comparing Societal Consequence Measures of Outages in Electrical Distribution Systems, i European Safety and Reliability Association Conference, Wroclaw, Poland, 2014.

[13] A. Sankarakrishnan och R. Billinton, Sequential Monte Carlo simulation for composite power system reliability analysis with time varying loads, IEEE Trans. Power Syst., vol. 10, nr 3, pp. 1540-1545, 1995.

FINN

LAN

DEG

REN

Technical infrastructure netw

orks as socio-technical systems 2017

978

9188

9348

40Faculty of Engineering

Division of Industrial Electrical Engineering and AutomationISBN 978-91-88934-84-0

CODEN LUTEDX/(TEIE-1082/1-154/(2017)

Technical infrastructure networks as socio-technical systemsAddressing infrastructure resilience and societal outage consequencesFINN LANDEGREN

FACULTY OF ENGINEERING | LUND UNIVERSITY

Finn Landegren has been a Ph.D. student at the Division of Industrial Electrical Engineering and Automation, Lund University, Sweden. He has a Master’s degree in Socio-technical systems engineering from Uppsala University. His research is funded by the Swedish civil contingencies agency and concerns development of methods for analysis of large disturbance events in technical infrastructure networks. Two main aspects have been in focus in the research work: the process of restoring infrastructure services after large disturbance events and the societal consequences of infrastructure outage.

Date post:	08-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

FINN LANDEGREN Technical infrastructure networks as socio … · 2017-12-01 · Annalee Newitz from...

Documents